from:"Salvatore Bonaccorso"

I would like to upload linux version 6.6.13-1 later today to unstable.
The new version imports two versions of 6.6.y stable series (though
the only commit from 6.6.12 was already included in the last update).
The new upstream stable version fixes CVE-2023-6610 and CVE-2023-6915.

Note, that the armel situation is still unresolved from the
https://lists.debian.org/debian-release/2024/01/msg00089.html thread.

Still still will prevent us thus to go with the 6.6.y series to
testing.

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#1061190: bullseye-pu: package gnutls28/3.7.1-5+deb11u5

Hi,

On Sat, Jan 20, 2024 at 03:53:45PM +0100, Andreas Metzler wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: gnutl...@packages.debian.org, t...@security.debian.org
> Control: affects -1 + src:gnutls28
> 
> Hello,
> 
> I would like to fix both CVE-2024-0567 and CVE-2024-0553 via a
> oldstable-updates since they do not require a DSA.

Only a small remark about the CVE tracking, no direct need to change
anything: CVE-2024-0553 exists because of an incomplete fix of
CVE-2024-0553, so technically weh ave that incomplete fix not yet in
any official bullseye release (apart the bullseye-pu).

For the security-tracker so I tend to consider CVE-2024-0553
not-affected for bullseye, but then CVE-2023-5981 only fixed in
3.7.1-5+deb11u5 rather than 3.7.1-5+deb11u4. For that I have done the
following two commits:

https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f30f93b036b864eb245daf7dec5f70a824a7fb5c
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd218ec683140739797aa973d354e00b8660e9b

Let me know if you diagree and we should revert that to track all 3
CVEs for gnutls28 in bullseye.

Regards,
Salvatore

Bug#1061177: bullseye-pu: package tar/1.34+dfsg-1+deb11u1

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@packages.debian.org, Janos Lenart , 
car...@debian.org
Control: affects -1 + src:tar

Dear Stable release managers,

[ Reason ]
tar in bullseye is affected by two issues with assigned CVEs,
CVE-2022-48303 and CVE-2023-39804 both which do not warrant a DSA and
have minor impact.

[ Impact ]
Remain vulnerable to the two CVEs, with DoS potential.

[ Tests ]
Verified the fixes against the PoCs available for both CVEs.

[ Risks ]
Should be minor, the fixes are targeted to address the respective
issues and taken from upstream git repository. Both fixes are
available in unstable and testing with no regression reporting to the
best of my knowledge.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream changes fix the boundary checking in base-256 decoder for
CVE-2022-48303 and the handling of extended header prefixes for
CVE-2023-39804.

[ Other info ]
Nothing else.

Regards,
Salvatore
diff -Nru tar-1.34+dfsg/debian/changelog tar-1.34+dfsg/debian/changelog
--- tar-1.34+dfsg/debian/changelog  2021-02-17 10:55:26.0 +0100
+++ tar-1.34+dfsg/debian/changelog  2024-01-20 10:59:10.0 +0100
@@ -1,3 +1,12 @@
+tar (1.34+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix boundary checking in base-256 decoder (CVE-2022-48303)
+  * Fix handling of extended header prefixes (CVE-2023-39804)
+(Closes: #1058079)
+
+ -- Salvatore Bonaccorso   Sat, 20 Jan 2024 10:59:10 +0100
+
 tar (1.34+dfsg-1) unstable; urgency=medium
 
   * New upstream version
diff -Nru 
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch 
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
--- 
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
1970-01-01 01:00:00.0 +0100
+++ 
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
2024-01-20 10:59:10.0 +0100
@@ -0,0 +1,31 @@
+From: Sergey Poznyakoff 
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: Fix boundary checking in base-256 decoder
+Origin: 
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48303
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425a824..86bcfdd1cc30 100644
+--- a/src/list.c
 b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const 
*type,
+ where++;
+   }
+ }
+-  else if (*where == '\200' /* positive base-256 */
+- || *where == '\377' /* negative base-256 */)
++  else if (where <= lim - 2
++ && (*where == '\200' /* positive base-256 */
++ || *where == '\377' /* negative base-256 */))
+ {
+   /* Parse base-256 output.  A nonnegative number N is
+represented as (256**DIGS)/2 + N; a negative number -N is
+-- 
+2.43.0
+
diff -Nru 
tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 
tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch
--- tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 
1970-01-01 01:00:00.0 +0100
+++ tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 
2024-01-20 10:59:10.0 +0100
@@ -0,0 +1,62 @@
+From: Sergey Poznyakoff 
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+Origin: 
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
+Bug-Debian: https://bugs.debian.org/1058079
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-39804
+
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+---
+ src/xheader.c | 17 +
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b27cc62..3cd694d1b12a 100644
+--- a/src/xheader.c
 b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+   struct xhdr_tab const *p;
+-
+   for (p = xhdr_tab; p->keyword; p++)
+ if (p->prefix)
+   {
+-if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
++  size_t kwlen = strlen (p->keyword);
++if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 
0)
+   return p;
+   }
+ else
+@@ -1716

Bug#1061176: bookworm-pu: package tar/1.34+dfsg-1.2+deb12u1

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: t...@packages.debian.org, Janos Lenart , 
car...@debian.org
Control: affects -1 + src:tar

Dear Stable release managers,

[ Reason ]
tar in bookworm is affected by two issues with assigned CVEs,
CVE-2022-48303 and CVE-2023-39804 both which do not warrant a DSA and
have minor impact.

[ Impact ]
Remain vulnerable to the two CVEs, with DoS potential.

[ Tests ]
Verified the fixes against the PoCs available for both CVEs.

[ Risks ]
Should be minor, the fixes are targeted to address the respective
issues and taken from upstream git repository. Both fixes are
available in unstable and testing with no regression reporting to the
best of my knowledge.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The upstream changes fix the boundary checking in base-256 decoder for
CVE-2022-48303 and the handling of extended header prefixes for
CVE-2023-39804.

[ Other info ]
Nothing else.

Regards,
Salvatore
diff -Nru tar-1.34+dfsg/debian/changelog tar-1.34+dfsg/debian/changelog
--- tar-1.34+dfsg/debian/changelog  2023-04-06 16:25:47.0 +0200
+++ tar-1.34+dfsg/debian/changelog  2024-01-20 10:27:07.0 +0100
@@ -1,3 +1,12 @@
+tar (1.34+dfsg-1.2+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix boundary checking in base-256 decoder (CVE-2022-48303)
+  * Fix handling of extended header prefixes (CVE-2023-39804)
+(Closes: #1058079)
+
+ -- Salvatore Bonaccorso   Sat, 20 Jan 2024 10:27:07 +0100
+
 tar (1.34+dfsg-1.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch 
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
--- 
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
1970-01-01 01:00:00.0 +0100
+++ 
tar-1.34+dfsg/debian/patches/Fix-boundary-checking-in-base-256-decoder.patch
2024-01-20 10:27:07.0 +0100
@@ -0,0 +1,31 @@
+From: Sergey Poznyakoff 
+Date: Sat, 11 Feb 2023 11:57:39 +0200
+Subject: Fix boundary checking in base-256 decoder
+Origin: 
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=3da78400eafcccb97e2f2fd4b227ea40d794ede8
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48303
+
+* src/list.c (from_header): Base-256 encoding is at least 2 bytes
+long.
+---
+ src/list.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/list.c b/src/list.c
+index 9fafc425a824..86bcfdd1cc30 100644
+--- a/src/list.c
 b/src/list.c
+@@ -881,8 +881,9 @@ from_header (char const *where0, size_t digs, char const 
*type,
+ where++;
+   }
+ }
+-  else if (*where == '\200' /* positive base-256 */
+- || *where == '\377' /* negative base-256 */)
++  else if (where <= lim - 2
++ && (*where == '\200' /* positive base-256 */
++ || *where == '\377' /* negative base-256 */))
+ {
+   /* Parse base-256 output.  A nonnegative number N is
+represented as (256**DIGS)/2 + N; a negative number -N is
+-- 
+2.43.0
+
diff -Nru 
tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 
tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch
--- tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 
1970-01-01 01:00:00.0 +0100
+++ tar-1.34+dfsg/debian/patches/Fix-handling-of-extended-header-prefixes.patch 
2024-01-20 10:27:07.0 +0100
@@ -0,0 +1,62 @@
+From: Sergey Poznyakoff 
+Date: Sat, 28 Aug 2021 16:02:12 +0300
+Subject: Fix handling of extended header prefixes
+Origin: 
https://git.savannah.gnu.org/cgit/tar.git/commit/?id=a339f05cd269013fa133d2f148d73f6f7d4247e4
+Bug-Debian: https://bugs.debian.org/1058079
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-39804
+
+* src/xheader.c (locate_handler): Recognize prefix keywords only
+when followed by a dot.
+(xattr_decoder): Use xmalloc/xstrdup instead of alloc
+---
+ src/xheader.c | 17 +
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/src/xheader.c b/src/xheader.c
+index 4f8b2b27cc62..3cd694d1b12a 100644
+--- a/src/xheader.c
 b/src/xheader.c
+@@ -637,11 +637,11 @@ static struct xhdr_tab const *
+ locate_handler (char const *keyword)
+ {
+   struct xhdr_tab const *p;
+-
+   for (p = xhdr_tab; p->keyword; p++)
+ if (p->prefix)
+   {
+-if (strncmp (p->keyword, keyword, strlen(p->keyword)) == 0)
++  size_t kwlen = strlen (p->keyword);
++if (keyword[kwlen] == '.' && strncmp (p->keyword, keyword, kwlen) == 
0)
+   return p;
+   }
+ else
+@@ -1716

Re: Uploading linux (6.6.10-1)

2024-01-07 Thread Salvatore Bonaccorso

Hi,

On Sun, Jan 07, 2024 at 02:14:30PM +0100, Bastian Blank wrote:
> On Sun, Jan 07, 2024 at 02:03:32PM +0100, Salvatore Bonaccorso wrote:
> > I would like to upload linux version 6.6.10-1 later today to unstable.
> 
> I would like to have 6.6.9 in testing first, but we can also ignore
> that.

No it's fine, I will wait for the 6.6.10-1 upload until 6.6.9-1
migrates. It should, but I'm unsure about the failing glibc
autopkgtest on arm64 (OTOH you have filled #1060202, so if that's as
well flacky then we could ignore those and let 6.6.9-1 migrate).

Regards,
Salvatore

Uploading linux (6.6.10-1)

2024-01-07 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.6.10-1 later today to unstable.
The new version imports one more 6.6.y stable series version (6.6.10).
The new upstream stable version fixes in particular CVE-2024-0193
(which is already addressed in bookworm-security and
bullseye-security).

There is one additional commit included (which is already queued for
the next stable series) to address #1058887:

   * wifi: iwlwifi: pcie: don't synchronize IRQs from IRQ (Closes: #1058887)

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#1059291: bookworm-pu: package spip/4.1.9+dfsg-1+deb12u3

2023-12-30 Thread Salvatore Bonaccorso

Hi,

On Fri, Dec 22, 2023 at 01:28:00PM +0100, David Prévot wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org
> Control: affects -1 + src:spip
> 
> Hi,
> 
> This issue is similar to #1059289 for oldstable.
> 
> Another upstream release fixed a security (XSS) issue. The last two
> updates of this kind didn’t warrant a DSA, so I guess this one will not
> warrant one either (security team X-D-CCed in case I’m wrong).

To confirm, from security team perspective, this does not warrant a
DSA and can be fixed in the upcoming point release.

Regards,
Salvatore

Bug#1059289: bullseye-pu: package spip/3.2.11-3+deb11u10

2023-12-30 Thread Salvatore Bonaccorso

Hi,

On Fri, Dec 22, 2023 at 01:21:56PM +0100, David Prévot wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: s...@packages.debian.org, t...@security.debian.org
> Control: affects -1 + src:spip
> 
> Another upstream release fixed a security (XSS) issue. The last two
> updates of this kind didn’t warrant a DSA, so I guess this one will not
> warrant one either (security team X-D-CCed in case I’m wrong).

To confirm, from security team perspective, this does not warrant a
DSA and can be fixed in the upcoming point release.

Regards,
Salvatore

Bug#1059427: bullseye-pu: package haproxy/2.2.9-2+deb11u6

2023-12-25 Thread Salvatore Bonaccorso

Hi,

On Mon, Dec 25, 2023 at 10:35:16AM +0100, Tobias Frost wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: hapr...@packages.debian.org, t...@security.debian.org
> Control: affects -1 + src:haproxy
> 
> Hi,
> 
> For ELTS I was fixing haproxy's CVES CVE-2023-40225 and CVE-2023-45539,
> and I also like to fix those for stable and oldstable.
> 
> CC'ing the security team, in case they want to issue an DSA instead.
> 
> The changes can also be found on the LTS repository:
> https://salsa.debian.org/lts-team/packages/haproxy
> 
> [ Tests ]
> I've tested the fixes manually, using netcat to inject
> problematic http requests and confirm that the patched
> version rejects the malicous requests. (using nginx and
> also netcat as http server.)
> 
> (Being verbose here to document the tests for later reference ;-))
> 
> haproxy is listening on port 8080
> 
> e.g for CVE-2023-40225:
> echo 'GET /index.nginx-debian.html# HTTP/1.0' | netcat localhost 8080
> must be rejected with 400 Bad Request
> and without the "#" accepted.
> 
> for CVE-2023-45539, nginx is stopped, and netcat listens on port 80:
> echo 'GET / HTTP/.1.1
> host: whatever
> content-length:
> ' | netcat localhost 8080
> 
> If the request is accepted (and forwarded to the listening netcat),
> haproxy is vulnerable. If a "400 Bad request" ist thrown, without
> netcat receiving something, haproxy is not vulnerable.
> 
> (haproxy is running on port 8080)
> 
> [ Risks ]
> Upstream patch, applied cleanly.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> Debdiff attached.
> 
> I'v uploaded the package to o-s-p-u already.

Thanks, but I have already worked on the haproxy update for bullseye
and bookworm.

SRM, can you please reject the packages from stable-new and
olstable-new so once I release the DSA, that version won't clash
versionwise?

Regards,
Salvatore

Bug#1059235: bookworm-pu: package fish/3.6.0-3.1+deb12u1

2023-12-21 Thread Salvatore Bonaccorso

Hi,

On Thu, Dec 21, 2023 at 03:16:22PM -0500, M. Zhou wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: f...@packages.debian.org
> Control: affects -1 + src:fish
> 
> 
> [ Reason ]
> 
> Cherry-pick upstream fix to CVE-2023-49284
> 
> [ Impact ]
> 
> This is a low severity security issue that affects basically
> all historical releases of fish. The upstream created new
> releases (i.e. 3.6.2) solely for fixing this bug.
> https://github.com/fish-shell/fish-shell/commits/Integration_3.6.2/
> So it would be good if we can integrate the fix into stable.
> 
> 
> [ Tests ]
> 
> The fix is already included in fish/3.6.4-1 (sid).
> The rebased patch passed my local sbuild test.
> I installed the package in a chroot and tested it.
> 
> [ Risks ]
> 
> low.
> 
> [ Checklist ]
>   [x] *all* changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in (old)stable
>   [x] the issue is verified as fixed in unstable
> 
> [ Changes ]
> 
> Only one change. Please refer to the patch header for explanation.
> 
> [ Other info ]
> 
> diff -Nru fish-3.6.0/debian/changelog fish-3.6.0/debian/changelog
> --- fish-3.6.0/debian/changelog 2023-05-01 13:01:01.0 -0400
> +++ fish-3.6.0/debian/changelog 2023-12-21 14:47:56.0 -0500
> @@ -1,3 +1,9 @@
> +fish (3.6.0-3.1+deb12u1) bookworm; urgency=medium
> +
> +  * Cherry-pick upstream fix for CVE-2023-49284.

Can you as well add  a bug closer for #1057455?

Regards,
Salvatore

Bug#1057179: Acknowledgement (bookworm-pu: package mariadb-10.6 1:10.11.6-0+deb12u1)

2023-12-09 Thread Salvatore Bonaccorso

Hi Otto,

On Sat, Dec 09, 2023 at 10:58:09PM +0800, Otto Kekäläinen wrote:
> Hi Debian security team!
> 
> MariaDB 1:10.11.6-1 entered Trixie only today after being stuck in
> pending migration since Nov 28th from unstable. This
> 1:10.11.6-0+deb12u1 missed the point update window.
> 
> Are you OK if we proceed with this as a security upload?

I do not think we really need that. There is only scarce informtaion
on the only CVE fixed, CVE-2023-22084, and the official description
seem to require a high privileged attacker.

But maybe you could reach out to MariaDB upstream so we can have a
better idea on the fixed issue?

I would suggest you just upload what you prepared to the
proposed-updates queues so it can exposed by further testing of the
release team tooling, and it will be included in the 12.4 point
release. 

That is not even a problem if there will be a later incremental update
on it.

Regards,
Salvatore

Re: Bug#1057843: linux: ext4 data corruption in 6.1.64-1

2023-12-09 Thread Salvatore Bonaccorso

Hi,

On Sat, Dec 09, 2023 at 03:07:37PM +0100, Salvatore Bonaccorso wrote:
> Source: linux
> Version: 6.1.64-1
> Severity: grave
> Tags: upstream
> Justification: causes non-serious data loss
> X-Debbugs-Cc: debian-release@lists.debian.org, car...@debian.org, 
> a...@debian.org
> 
> Hi
> 
> I'm filling this for visibility.
> 
> There might be a ext4 data corruption issue with the kernel released
> in the 12.3 bookworm point release (which is addressed in 6.1.66
> upstream already).
> 
> The report about the regression and some details:
> 
> https://lore.kernel.org/stable/20231205122122.dfhhoaswsfscuhc3@quack3/

6.1.66 upstream fixes the issue:

# uname -a
Linux bookworm-amd64 6.1.0-15-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.66-1 
(2023-12-06) x86_64 GNU/Linux
# LTP_SINGLE_FS_TYPE=ext4 LTP_DEV_FS_TYPE=ext4 ./preadv03_64
tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
tst_test.c:1690: TINFO: LTP version: 20230929-194-g5c096b2cf
tst_test.c:1574: TINFO: Timeout per run is 0h 00m 30s
tst_supported_fs_types.c:149: TINFO: WARNING: testing only ext4
tst_supported_fs_types.c:90: TINFO: Kernel supports ext4
tst_supported_fs_types.c:55: TINFO: mkfs.ext4 does exist
tst_test.c:1650: TINFO: === Testing on ext4 ===
tst_test.c:1105: TINFO: Formatting /dev/loop0 with ext4 opts='' extra opts=''
mke2fs 1.47.0 (5-Feb-2023)
tst_test.c:1119: TINFO: Mounting /dev/loop0 to /tmp/LTP_preGGYjTj/mntpoint 
fstyp=ext4 flags=0
preadv03.c:102: TINFO: Using block size 512
preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 
'a' expectedly
preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 
'a' expectedly
preadv03.c:87: TPASS: preadv(O_DIRECT) read 512 bytes successfully with content 
'b' expectedly

Summary:
passed   3
failed   0
broken   0
skipped  0
warnings 0

Regards,
Salvatore

Bug#1057843: linux: ext4 data corruption in 6.1.64-1

2023-12-09 Thread Salvatore Bonaccorso

Source: linux
Version: 6.1.64-1
Severity: grave
Tags: upstream
Justification: causes non-serious data loss
X-Debbugs-Cc: debian-release@lists.debian.org, car...@debian.org, 
a...@debian.org

Hi

I'm filling this for visibility.

There might be a ext4 data corruption issue with the kernel released
in the 12.3 bookworm point release (which is addressed in 6.1.66
upstream already).

The report about the regression and some details:

https://lore.kernel.org/stable/20231205122122.dfhhoaswsfscuhc3@quack3/

Regards,
Salvatore

Re: maintainer built binary package in stable release, still (Re: Bug#1054401: bookworm-pu: package nagios-plugins-contrib/42.20230308+deb12u1)

2023-12-07 Thread Salvatore Bonaccorso

Hi Adam,

On Thu, Dec 07, 2023 at 01:56:34PM +, Adam D. Barratt wrote:
> On Thu, 2023-12-07 at 12:40 +0100, Paul Gevers wrote:
> > Hi,
> > 
> > On 07-12-2023 12:20, Adrian Bunk wrote:
> > > On Thu, Dec 07, 2023 at 11:18:42AM +0100, Paul Gevers wrote:
> > > > I hope that in several hours,
> > > > https://release.debian.org/britney/excuses_s-p-u.html will have
> > > > the answer.
> > > 
> > > it should find packages like jtreg6 that are scheduled for the next
> > > point release, but it won't find packages like gmp that went into
> > > bullseye 2 years ago.
> > 
> > Ack. Indeed it spots:
> > cacti, fastdds, freetype, grub-efi-amd64-signed, grub-efi-arm64-
> > signed, 
> > grub-efi-ia32-signed, jtreg6, llvm-toolchain-16, node-babel7, 
> > node-browserify-sign and slurm-wlm. A bunch of them have arch:all
> > binaries.
> 
> Heh at cacti being in the list. :-)
> 
> fwiw the grub-efi-*-signed packages were built on buildds, in the
> security archive. They got rejected when they were copied over to ftp-
> master, due to the grub2 versus grub-efi-* naming issue that's been
> mentioned on debian-release before. In order to get them into stable-
> new, I resigned the changes files and re-uploaded them. The packages
> themselves are identical to those released via security.d.o (they're
> the same files).
> 
> Similarly, the two fastdds uploads were rejected between the security
> archive and ftp-master as the buildd keys had expired in the meantime,
> so I simply re-signed and re-uploaded them.
> 
> Relatedly, if a binary upload was performed to the security archive
> then any binNMUs should likely happen there and then be synced across
> to stable, otherwise we're only resolving part of the issue.

Hmm technically likely right, but in security we cannot very well
handle the binNMUs (only if the source is already present there,
otherwise ftp-masters need to inject the sources first).

This is related to
https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecFull?highlight=%28gen-DSA%29#BinNMUs
and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823820 (well
more broadly to have source available).

Regards,
Salvatore

Re: Bug in linux 6.1.64-1 (source) into proposed-updates

2023-12-05 Thread Salvatore Bonaccorso

Hi,

On Tue, Dec 05, 2023 at 06:14:43PM +0100, djw6g6b5...@temp.mailbox.org wrote:
> There' s a bug in linux-image-amd64 version 6.1.64-1 for bookworm.
> The updates breaks wlan on a Lenovo T490s. Current versions used to work
> fine. I' m unable to submit a bug report. ('Message with no Package: tag
> cannot be processed! (linux-image-amd64 (version 6.1.64-1 breaks Wlan
> functionality))
> ')
> 
> Can you please pass this Info to the maintainers? If any more info is needed
> please let me know.

Please do fill a bug, ideally with reportbug so additional system
information is already attached with the initial report. Please do
attach to that bug report as well kernel logs.

If you cannot use reportbug, the above seems to indicate that, then
make sure to add the pseudo-headers as well as described in
https://www.debian.org/Bugs/Reporting .

Hope this helps already,

Regards,
Salvatore

Bug#1057274: bookworm-pu: package gimp/2.10.34-1+deb12u2

2023-12-02 Thread Salvatore Bonaccorso

Hi Adrian,

On Sat, Dec 02, 2023 at 04:46:22PM +0200, Adrian Bunk wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: Salvatore Bonaccorso 
> 
>   * Add Conflicts+Replaces: gimp-dds to remove old versions of this
> plugin shipped by gimp itself since 2.10.10. (Closes: #1057149)
> 
> gimp-dds is an older version of a plugin already included
> in gimp in bookworm, it also has CVE-2023-1 (DSA-5564-1)
> unfixed.
> 
> Removal of gimp-dds from bookworm has already been requested
> in #1056710, this update additionally removes stale versions
> a user might still have installed.

Thanks for taking care of it.

Regards,
Salvatore

Bug#1054421: bookworm-pu: package weborf/0.19

2023-11-29 Thread Salvatore Bonaccorso

Hi Salvo,

On Wed, Nov 29, 2023 at 11:39:40PM +0100, Salvo Tomaselli wrote:
> Hello,
> 
> Go ahead with what?
> 
> Do a new debdiff with the fixed version in the changelog?

I understand Adam as "please just adjust the version as discussed to
0.19-2.1+deb12u1 and then feel free to upload the package for
bookworm".

Regards,
Salvatore

Uploading linux (6.5.13-1)

2023-11-28 Thread Salvatore Bonaccorso

Hi,

I would like to upload linux version 6.5.13-1 today to unstable. The
new version imports new stable series up to 6.5.13. A (manual) ABI
bump is included. 

With the upload CVE-2023-6111 is addressed as well.

The RT patchset remains disabled and is pending to be enabled with the
6.6.y versions to experimental. After at least one upload of the 6.6.y
series to experimental, we *might* move it to unstable, but Bastian
has a better overview if we will be already able to do it.

There are no other packaging changes this time apart the ABI bump.

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#1007884: bullseye-pu: package glewlwyd/2.5.2-2+deb11u2

2023-11-27 Thread Salvatore Bonaccorso

Hi Nicolas,

On Mon, Nov 27, 2023 at 08:00:39AM -0500, Nicolas Mora wrote:
> Hello,
> 
> Here is a new debdiff for the glewlwyd/2.5.2-2+deb11u2 package, which now
> also includes the fix for CVE-2023-49208.

> diff -Nru glewlwyd-2.5.2/debian/changelog glewlwyd-2.5.2/debian/changelog
> --- glewlwyd-2.5.2/debian/changelog   2021-12-17 07:51:46.0 -0500
> +++ glewlwyd-2.5.2/debian/changelog   2023-11-24 08:14:30.0 -0500
> @@ -1,3 +1,18 @@
> +glewlwyd (2.5.2-2+deb11u2.1) bullseye; urgency=medium

Small remark, the version ideally is set to 2.5.2-2+deb11u3.

Regards,
Salvatore

Bug#1056711: RM: gimp-dds/3.0.1-1

2023-11-25 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: t...@security.debian.org, Adrian Bunk , 
car...@debian.org

Dear stable release managers,

Please remove src:gimp-dds in the next bullseye point release. It has
since gimp 2.10.10 upstream been integrated upstream.

Removal is possible:

carnil@coccia:~$ dak rm --suite=bullseye -n -R gimp-dds
Will remove the following packages from bullseye:

  gimp-dds |3.0.1-1 | source
  gimp-dds | 3.0.1-1+b1 | amd64, arm64, armel, armhf, i386, mips64el, mipsel, 
ppc64el, s390x

Maintainer: Debian Games Team 

--- Reason ---

--

Checking reverse dependencies...
No dependency problem found.

carnil@coccia:~$

For unstable it has been removed this year with #1043520. Additionally
a gimp point release update might add a Breaks so the package get as
well deinstalled.

Regards,
Salvatore

Bug#1056710: RM: gimp-dds/3.0.1-3

2023-11-25 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: t...@security.debian.org, b...@debian.org, car...@debian.org

Dear stable release managers,

Please remove src:gimp-dds in the next bookworm point release. It has
since gimp 2.10.10 upstream been integrated upstream.

Removal is possible:

carnil@coccia:~$ dak rm --suite=bookworm -n -R gimp-dds
Will remove the following packages from bookworm:

  gimp-dds |3.0.1-3 | source, amd64, arm64, armel, armhf, i386, mips64el, 
mipsel, ppc64el, s390x

Maintainer: Debian QA Group 

--- Reason ---

--

Checking reverse dependencies...
No dependency problem found.

carnil@coccia:~$

For unstable it has been removed this year with #1043520. Additionally
a gimp point release update might add a Breaks so the package get as
well deinstalled.

Regards,
Salvatore

Bug#1055965: bookworm-pu: package network-manager-openconnect/1.2.8-3+deb12u1

2023-11-14 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: network-manager-openconn...@packages.debian.org, Florian Echtler 
, Luca Boccassi , car...@debian.org
Control: affects -1 + src:network-manager-openconnect

Hi Stable release managers,

[ Reason ]
In recent cases where institutions updated their Cisco AnyConnect
server, connecting with openconnect requires to pass an appropriate
UserAgent. Cf. for instance
https://gitlab.com/openconnect/openconnect/-/issues/544 .
network-manager-openconnect plugin for NetworkManager had no
possibilty to configure this. As result after such updates users using
the NetworkManager plugin cannot connect to the VPN servers.

[ Impact ]
Impossibility to use the NetworkManager plugin for openconnect in
situations where the Cisco AnyConnect server has been updated.

[ Tests ]
I manually tested the plugin in one affected configuration. After the
update the GUI field for configuring the UserAgent can be configured
for the specific configuration.

[ Risks ]
Patches have been taken from upstream and apply with minor context
tewak to the older version. Luca has reviewed and acked the MR in 
https://salsa.debian.org/debian/network-manager-openconnect/-/merge_requests/6

[ Checklist ]
  [x] *all* changes are documented in the d/changelog

(the salsa pipleline one is not, but has not a user impact)

  [x] I reviewed all changes and I approve them
  [x ] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Adds support for the mentioned UserAgent field and setting.

[ Other info ]
Nothing.

Regards,
Salvatore
diff -Nru network-manager-openconnect-1.2.8/debian/changelog 
network-manager-openconnect-1.2.8/debian/changelog
--- network-manager-openconnect-1.2.8/debian/changelog  2022-05-21 
15:35:15.0 +0200
+++ network-manager-openconnect-1.2.8/debian/changelog  2023-11-14 
15:15:44.0 +0100
@@ -1,3 +1,14 @@
+network-manager-openconnect (1.2.8-3+deb12u1) bookworm; urgency=medium
+
+  [ Salvatore Bonaccorso ]
+  * Add User Agent to Openconnect VPN for NetworkManager (Closes:
+#1053467)
+  * Use openconnect_set_useragent() where available
+  * Add support for GTK4 in user-agent calls
+  * Add Build-Depends on libgtk-4-bin for gtk4-builder-tool
+
+ -- Luca Boccassi   Tue, 14 Nov 2023 14:15:44 +
+
 network-manager-openconnect (1.2.8-3) unstable; urgency=medium
 
   * Bump Standards-Version to 4.6.1, no changes
diff -Nru network-manager-openconnect-1.2.8/debian/control 
network-manager-openconnect-1.2.8/debian/control
--- network-manager-openconnect-1.2.8/debian/control2022-05-21 
15:35:15.0 +0200
+++ network-manager-openconnect-1.2.8/debian/control2023-11-14 
15:15:44.0 +0100
@@ -8,6 +8,7 @@
libgcr-3-dev,
libglib2.0-dev,
libgtk-3-dev,
+   libgtk-4-bin,
libgtk-4-dev,
libnm-dev,
libnma-dev,
diff -Nru network-manager-openconnect-1.2.8/debian/gbp.conf 
network-manager-openconnect-1.2.8/debian/gbp.conf
--- network-manager-openconnect-1.2.8/debian/gbp.conf   2022-03-14 
00:08:09.0 +0100
+++ network-manager-openconnect-1.2.8/debian/gbp.conf   2023-11-14 
15:15:44.0 +0100
@@ -1,5 +1,6 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch = debian/bookworm
 
 [import-orig]
 upstream-vcs-tag = %(version)s
diff -Nru 
network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch
 
network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch
--- 
network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch
1970-01-01 01:00:00.0 +0100
+++ 
network-manager-openconnect-1.2.8/debian/patches/0002-Add-User-Agent-to-Openconnect-VPN-for-NetworkManager.patch
2023-11-14 15:15:44.0 +0100
@@ -0,0 +1,302 @@
+From: Debasish Patra 
+Date: Sat, 29 Aug 2020 17:58:16 -0400
+Subject: Add User Agent to Openconnect VPN for NetworkManager
+Origin: 
https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/commit/b5e154c06fd9013a925f85c2aa38d88e4ee53db0
+Bug-Debian: https://bugs.debian.org/1053467
+
+---
+ auth-dialog/main.c|  3 +-
+ properties/nm-openconnect-dialog.ui   | 73 +--
+ properties/nm-openconnect-editor-plugin.c |  5 ++
+ properties/nm-openconnect-editor.c| 15 +
+ shared/nm-service-defines.h   |  1 +
+ 5 files changed, 79 insertions(+), 18 deletions(-)
+
+diff --git a/auth-dialog/main.c b/auth-dialog/main.c
+index 99cab7cd921f..305b568650ba 100644
+--- a/auth-dialog/main.c
 b/auth-dialog/main.c
+@@ -1853,6 +1853,7 @@ static void build_main_dialog(auth_ui_data *ui_data)
+ 
+ static auth_ui_data *init_ui_data (char *vpn_name, GHashTable *options, 
GHashTable *secrets

Bug#1054455: bullseye-pu: package weborf/0.17-3

2023-11-04 Thread Salvatore Bonaccorso

Hi Salvo,

On Tue, Oct 24, 2023 at 09:58:30AM +0200, Salvo Tomaselli wrote:
> > This version was already used:
> > https://snapshot.debian.org/package/weborf/0.17-4/
> 
> Sorry!
> 
> Attaching a new debdiff file with the correct version

Now there is a off-by-one in the distro version :)

I believe it should be 0.17-3+deb11u1.

Regards,
Salvatore

Bug#1055155: bookworm-pu: package exim4/4.96-15+deb12u3 (2nd try for new bug)

2023-11-04 Thread Salvatore Bonaccorso

Hi Andreas,

On Wed, Nov 01, 2023 at 12:03:37PM +0100, Andreas Metzler wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> Control: affects -1 + src:exim4
> 
> Hello,
> 
> I would like to push another round of cherry-picked upstream fixes to
> bookworm, including the update to 4.96.2 to fix two non-DSA minor
> security issues.
> 
> The changes are included in the new upstream (4.97 rc) uploads to sid which=
>  are present in sid and testing.
> 
> 
> * Multiple bugfixes from upstream GIT master:
>   + 75_74-Cancel-early-pipe-on-an-observed-advertising-change.patch
>   + 75_76-Expansions-disallow-UTF-16-surrogates-from-utf8clean.patch
> (Upstream bug 2998)
>   + 75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch
>   + 75_79-Fix-recipients-expansion-when-used-within-run.-.-Bug.patch
> (Upstream bug 3013)
> > ${run expansion breakage, similar to #1025420.
>   + 75_82-GnuTLS-fix-autogen-cert-expiry-date.-Bug-3014.patch: Fix on-demand
> TLS cert expiry date. Closes: #1043233
> (Upstream bug 3014)
> > This is major hickup, bordering on RC.
> 
>   + 75_83-Re-fix-live-variable-value-free.-The-inital-fix-resu.patch
> > Another patch for ${run} expansion breakage.
>   + 76-10-Fix-tr.-and-empty-strings.-Bug-3023.patch ((Upstream bug 3023)
>   + 76-12-DNS-more-hardening-against-crafted-responses.patch
> * tests/basic: Add isolation-container restriction (needs a running
>   exim daemon).
> * Add ${run } expansion test to tests/basic.
> * Update code to 4.96.2, fixing issues with the proxy protocol
>   (CVE-2023-42117) and the `dnsdb` lookup subsystem (CVE-2023-42219). It
>   also includes additional hardening for spf lookups, however CVE-2023-42218

The mentioned CVEs have a typo. I believe this should be
CVE-2023-42117 and CVE-2023-42119 (and for completeness about the
libspf2 mentioning CVE-2023-42118).

Regards,
Salvatore

Uploading linux (6.5.10-1)

2023-11-02 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.5.10-1 tomorrow to unstable.
The new upload rebases unstable importing the new stable series
versions up to 6.5.10.  An ABI bump is included.

CVE-2023-46813, CVE-2023-5717 and CVE-2023-46862 are fixed with the
new stable import series.

The RT patchset remains fo far disabled (it is enabled again for the
6.6 based upload to experimental).

There are some other packaging packages apart of the stable imports
pending with this upload:

   * Disable DEBUG_PREEMPT as it introduces slowdowns up to 20% on certain
 workloads.

Modifed to actually not set DEBUG_PREEMPT, as it is not enabled by
deault since .3-rc1:

   * Do not explicitly unset DEBUG_PREEMPT (not enabled by default since 
6.3-rc1)

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#1054446: bookworm-pu: package wolfssl/5.5.4-2+deb12u1

2023-10-23 Thread Salvatore Bonaccorso

On Mon, Oct 23, 2023 at 10:12:27PM +0200, Bastian Germann wrote:
> Am 23.10.23 um 22:02 schrieb Salvatore Bonaccorso:
> > > diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
> > > --- wolfssl-5.5.4/debian/changelog2023-02-06 14:41:53.0 
> > > +
> > > +++ wolfssl-5.5.4/debian/changelog2023-10-23 17:46:16.0 
> > > +
> > > @@ -1,3 +1,10 @@
> > > +wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium
> > > +
> > > +  * Stable update to address the following vulnerabilities:
> > > +- Fix CVE-2023-3724.
> > 
> > Should the changelog entry close as well #1041699?
> 
> I do not mind adding the bug reference but usually, the Security Team's bugs
> say that one should not close them but rather edit their fixed values.
> And the bug is already closed. I am including the debdiff with the bug
> reference and let you choose.

I do not read that :), and you can close a bug with multiple versions
in the Debian BTS. But anyway, both versions are ok, and I have
anyway not a authoritative guidance on the bookworm-pu bug, as not
member of the release team.

Regards,
Salvatore

Bug#1054446: bookworm-pu: package wolfssl/5.5.4-2+deb12u1

2023-10-23 Thread Salvatore Bonaccorso

Hi Bastian,

On Mon, Oct 23, 2023 at 09:48:45PM +0200, Bastian Germann wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-CC: sirkilam...@msn.com
> 
> Hi,
> 
> I am including a fix for wolfssl's CVE-2023-3724.
> The vulnerability is tracked by the Security Team in #1041699 and is fixed in 
> unstable.
> Aside from the changelog, this is exactly the same debdiff as provided by 
> 5.5.4-2.1.
> The new patch is taken from upstream as suggested by Jacob Barthelmeh.
> 
> Thanks,
> Bastian

> diff -Nru wolfssl-5.5.4/debian/changelog wolfssl-5.5.4/debian/changelog
> --- wolfssl-5.5.4/debian/changelog2023-02-06 14:41:53.0 +
> +++ wolfssl-5.5.4/debian/changelog2023-10-23 17:46:16.0 +
> @@ -1,3 +1,10 @@
> +wolfssl (5.5.4-2+deb12u1) bookworm; urgency=medium
> +
> +  * Stable update to address the following vulnerabilities:
> +- Fix CVE-2023-3724.

Should the changelog entry close as well #1041699?

Regards,
Salvatore

Bug#1054421: bookworm-pu: package weborf/0.19

2023-10-23 Thread Salvatore Bonaccorso

Hi,

On Mon, Oct 23, 2023 at 07:07:44PM +0200, Salvo "LtWorf" Tomaselli wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: web...@packages.debian.org, tipos...@tiscali.it
> Control: affects -1 + src:weborf
> 
> I have found a denial of service in all versions of weborf.
> 
> It is tracked in #1054417 and solved in 1.0 upstream. 
> https://github.com/ltworf/weborf/pull/88
> 
> The issue is fixed in unstable but remains in stable and oldstable.
> 
> [ Reason ]
> The bug has been there undetected for years. The fix is minimal.
> 
> [ Impact ]
> The denial of service and extremely unlikely but theoretically possible
> remote execution issue will remain.
> 
> The issue exists only if the process has CGI enabled (not the default).
> 
> [ Tests ]
> 
> There are no automated tests covering the issue.
> 
> [ Risks ]
> 
> The patch is just 3 lines.
> 
> [ Checklist ]
>   [*] *all* changes are documented in the d/changelog
>   [*] I reviewed all changes and I approve them
>   [*] attach debdiff against the package in (old)stable
>   [*] the issue is verified as fixed in unstable
> 
> [ Changes ]
> 
> A patch to remove a memory allocation and copy, where I forgot a +1 in the 
> copy.
> 
> The resulting code just reuses the same buffer instead of copying, which was 
> not
> needed to begin with.
> 
> [ Other info ]
> 
> Tracked in CVE-2023-46586

> diff -Nru weborf-0.19/debian/changelog weborf-0.19/debian/changelog
> --- weborf-0.19/debian/changelog  2022-10-15 12:57:06.0 +0200
> +++ weborf-0.19/debian/changelog  2023-10-23 18:38:21.0 +0200
> @@ -1,3 +1,9 @@
> +weborf (0.19-3) bookworm; urgency=medium
> +
> +  * Backport patch from upstream to fix denial of service (Closes: 1054417)
> +
> + -- Salvo 'LtWorf' Tomaselli   Mon, 23 Oct 2023 
> 18:38:21 +0200

The version works because 0.19-3 was never landing in the archive.
Normally you would use a +debXuY suffix, in the above case +deb12u1.
But I assume SRM will still ack the fix as it is (other package do as
well not follow this as strict rule, e.g. src:linux but because its
following the stable series).

Regards,
Salvatore

Uploading linux (6.5.8-1)

2023-10-22 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.5.8-1 later today to unstable.
The new upload would constist of importing new stable series version
up to 6.5.8. An ABI bump is included.

Notably the RT patchset is still disabled as mentioned in the 6.5.6-1
upload announcement.

CVE-2023-34324 is fixed with the new stable import series.

There are some other packaging packages apart of the stable imports
pending with this upload:

  * Bump ABI to 3
  * [x86] KVM: SVM: always update the x2avic msr interception (CVE-2023-5090)
  * nvmet-tcp: Fix a possible UAF in queue intialization setup (CVE-2023-5178)
  * Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO
(CVE-2023-31083)

Regards,
Salvatore


signature.asc
Description: PGP signature

Uploading linux (6.5.6-1)

2023-10-07 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.5.6-1 later today to unstable.
The new upload would consist of importing new stable series version up
to 6.5.6. An ABI bump is included.

Notably given RT patchset is not updated anymore for 6.5.y series
upstream, this update disables it temporarily. It might be re-enabled
for 6.6.y.

With the upload a couple of (known and CVEied) security fixes are
addressed: CVE-2023-4921, CVE-2023-5197, CVE-2023-5345, CVE-2023-42754
and CVE-2023-42756. Via upstream changes, #1037142, #1052584 and
#1052063 are addressed.

There are some other packaging packages apart of the stable imports
pending with this upload:

   * Bump ABI to 2
   * [rt] Disable RT featureset as not supported in 6.5.y series
   * [x86] drivers/watchdog: Enable ADVANTECH_EC_WDT as module (Closes: 
#1051449)
   * [x86] drivers/platform/x86: Enable SYSTEM76_ACPI as module
 (Closes: #1050996)
   * [arm64] Add qrtr to kernel-image udeb, needed by Lenovo Thinkpad X13s.

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: Bug#983912: grub2: consider renaming signed source packages to grub2-signed-*

2023-10-06 Thread Salvatore Bonaccorso

Hi,

On Sun, Nov 20, 2022 at 09:11:09PM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Wed, Mar 03, 2021 at 10:52:39AM +0100, Ansgar wrote:
> > Source: grub2
> > Version: 2.04-16
> > Severity: normal
> > X-Debbugs-Cc: ftpmas...@debian.org, debian-release@lists.debian.org
> > 
> > grub2 currently uses grub-efi-signed-* as source package names for the
> > Secure Boot signed packages.  While releasing the last security update
> > we found a small issue with these names:
> > 
> > dak processes source packages in lexiographic order, so it would
> > process grub-efi-signed-* before grub2 when accepting all packages at
> > once from the "embargoed" policy queue.  But the grub-efi-signed-*
> > binary packages have Built-Using: grub2; as grub2 is not accepted from
> > embargoed at this point in time, the /binary/ uploads will be rejected
> > in this case.  (This problem exists in principle with all Built-Using
> > relations.)
> > 
> > We could avoid this particular problem if the source package names of
> > the signed packages sort after grub2, i.e., if they were named
> > grub2-signed-* or grub2-efi-signed-*.  With linux this is already the
> > case (src:linux and src:linux-signed-*).
> > 
> > (As a minor thing, I think the changelog entry in the signed packages
> > should also use the grub maintainer's name, not ftpmaster@ similar to
> > what src:linux-signed-* has, but that is just cosmetics.)
> > 
> > I've Cc'ed debian-release@ as it is already past soft freeze, but I
> > think just renaming the source packages would be unlikely to break
> > anything.
> 
> As we were hit by this issue in the last DSA (DSA 5280-1) again,
> should we attempt to have this changed at least for bookworm?

For DSA 5519-1 I fortunately remembered this bug and did install the
packages in two steps, first dak new-security-install grub2*.changes,
then the grub-efi*.changes.

I still think would be great if we can do the above mentioned renames,
to avoid this problem (or ist maybe realistic that we could tackle the
problem itself at dak level?).

Regards,
Salvatore

Re: Releasing linux/6.1.52-1 bookworm-security update without armel build, Image size problems

2023-10-02 Thread Salvatore Bonaccorso

Hi Adrian,

Sorry for not replying early, busy with preparing the updates.

On Fri, Sep 29, 2023 at 03:41:15AM +0300, Adrian Bunk wrote:
> On Sat, Sep 09, 2023 at 10:15:59AM +0200, Salvatore Bonaccorso wrote:
> >...
> > Note that the last time the problem arised already earlier in
> > experimental and Ben workarounded it there with
> > https://salsa.debian.org/kernel-team/linux/-/commit/9dfe6d33a4fd220394228b30cbbfdb3b444d36ec
> > We probably can do that as well here. 60443c88f3a8 ("kallsyms: Improve
> > the performance of kallsyms_lookup_name()") was in fact backported to
> > 6.1.42. So this is next I would try and disable MPTCP and
> > FUNCTION_TRACER.
> >...
> 
> Yes, that looks reasonable.

Great thanks, this landed now for the point release udpates and in
fact we have the armel builds back.

> Additionally, one generic cause of bloat is:
>   debian/changelog:  * Enable UNICODE. (closes: #985689)
>   debian/config/config:CONFIG_UNICODE=y
> 
> That's 74 kB uncompressed, and there doesn't seem to be any 
> justification for not making it modular. It's not urgent since
> Bens change handles the immediate problem, but worth changing
> in unstable.

Could you fill a bug against src:linux for it, so this might be
further addressed in unstable for armel?

Regards,
Salvatore

Bug#1053240: bullseye-pu: package ghostscript/9.53.3~dfsg-7+deb11u6

2023-09-29 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ghostscr...@packages.debian.org, car...@debian.org
Control: affects -1 + src:ghostscript

Hi stable release managers,

[ Reason ]
Fix two CVEs which we did mark no-dsa (though one might after more
thinking be a candiate). Fix CVE-2023-38559 and CVE-2023-43115.

[ Impact ]
CVE-2023-38559 and CVE-2023-43115 would remain open so far.

[ Tests ]
Performed manual test for CVE-2023-43115.

[ Risks ]
Should be low, following the upstream commits to resolve the issues
which are very targeted.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply upstream fixes to address the CVEs. Adjust checks on input and
for the second issue, prevent PostScript programs switching to the IJS
device after SAFER has been activated (and prevent changes to the
IjsServer parameter after SAFER has been activated).

[ Other info ]
None.

Regards,
Salvatore
diff -Nru ghostscript-9.53.3~dfsg/debian/changelog 
ghostscript-9.53.3~dfsg/debian/changelog
--- ghostscript-9.53.3~dfsg/debian/changelog2023-07-02 11:54:08.0 
+0200
+++ ghostscript-9.53.3~dfsg/debian/changelog2023-09-29 14:24:57.0 
+0200
@@ -1,3 +1,12 @@
+ghostscript (9.53.3~dfsg-7+deb11u6) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Copy pcx buffer overrun fix from devices/gdevpcx.c (CVE-2023-38559)
+(Closes: #1043033)
+  * IJS device - try and secure the IJS server startup (CVE-2023-43115)
+
+ -- Salvatore Bonaccorso   Fri, 29 Sep 2023 14:24:57 +0200
+
 ghostscript (9.53.3~dfsg-7+deb11u5) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch 
ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch
--- ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch  
1970-01-01 01:00:00.0 +0100
+++ ghostscript-9.53.3~dfsg/debian/patches/020230717~d81b82c.patch  
2023-09-29 14:24:57.0 +0200
@@ -0,0 +1,28 @@
+From: Chris Liddell 
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: Bug 706897: Copy pcx buffer overrun fix from devices/gdevpcx.c
+Origin: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
+Bug-Debian: https://bugs.debian.org/1043033
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-38559
+
+Bounds check the buffer, before dereferencing the pointer.
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index 7b14d9c712b4..6351fb77ac75 100644
+--- a/base/gdevdevn.c
 b/base/gdevdevn.c
+@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, 
int step, gp_file * file
+ byte data = *from;
+ 
+ from += step;
+-if (data != *from || from == end) {
++if (from >= end || data != *from) {
+ if (data >= 0xc0)
+ gp_fputc(0xc1, file);
+ } else {
+-- 
+2.40.1
+
diff -Nru ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch 
ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch
--- ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch  
1970-01-01 01:00:00.0 +0100
+++ ghostscript-9.53.3~dfsg/debian/patches/020230824~8b0f200.patch  
2023-09-29 14:24:57.0 +0200
@@ -0,0 +1,53 @@
+From: Ken Sharp 
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: IJS device - try and secure the IJS server startup
+Origin: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-43115
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the IJS device
+after SAFER has been activated, and prevents changes to the IjsServer
+parameter after SAFER has been activated.
+
+SAFER is activated, unless explicitly disabled, before any user
+PostScript is executed which means that the device and the server
+invocation can only be configured on the command

Bug#1053239: bookworm-pu: package ghostscript/10.0.0~dfsg-11+deb12u2

2023-09-29 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: ghostscr...@packages.debian.org, car...@debian.org
Control: affects -1 + src:ghostscript

Hi stable release managers,

[ Reason ]
Fix two CVEs which we did mark no-dsa (though one might after more
thinking be a candiate). Fix CVE-2023-38559 and CVE-2023-43115.

[ Impact ]
CVE-2023-38559 and CVE-2023-43115 would remain open so far.

[ Tests ]
Performed manual test for CVE-2023-43115.

[ Risks ]
Should be low, following the upstream commits to resolve the issues
which are very targeted.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Apply upstream fixes to address the CVEs. Adjust checks on input and
for the second issue, prevent PostScript programs switching to the IJS
device after SAFER has been activated (and prevent changes to the
IjsServer parameter after SAFER has been activated).

[ Other info ]
None.

Regards,
Salvatore
diff -Nru ghostscript-10.0.0~dfsg/debian/changelog 
ghostscript-10.0.0~dfsg/debian/changelog
--- ghostscript-10.0.0~dfsg/debian/changelog2023-07-02 10:50:27.0 
+0200
+++ ghostscript-10.0.0~dfsg/debian/changelog2023-09-29 14:33:30.0 
+0200
@@ -1,3 +1,12 @@
+ghostscript (10.0.0~dfsg-11+deb12u2) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Copy pcx buffer overrun fix from devices/gdevpcx.c (CVE-2023-38559)
+(Closes: #1043033)
+  * IJS device - try and secure the IJS server startup (CVE-2023-43115)
+
+ -- Salvatore Bonaccorso   Fri, 29 Sep 2023 14:33:30 +0200
+
 ghostscript (10.0.0~dfsg-11+deb12u1) bookworm-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru 
ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
 
ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
--- 
ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
  1970-01-01 01:00:00.0 +0100
+++ 
ghostscript-10.0.0~dfsg/debian/patches/0005-Bug-706897-Copy-pcx-buffer-overrun-fix-from-devices-.patch
  2023-09-29 14:17:17.0 +0200
@@ -0,0 +1,28 @@
+From: Chris Liddell 
+Date: Mon, 17 Jul 2023 14:06:37 +0100
+Subject: Bug 706897: Copy pcx buffer overrun fix from devices/gdevpcx.c
+Origin: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
+Bug-Debian: https://bugs.debian.org/1043033
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-38559
+
+Bounds check the buffer, before dereferencing the pointer.
+---
+ base/gdevdevn.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/base/gdevdevn.c b/base/gdevdevn.c
+index 7b14d9c712b4..6351fb77ac75 100644
+--- a/base/gdevdevn.c
 b/base/gdevdevn.c
+@@ -1983,7 +1983,7 @@ devn_pcx_write_rle(const byte * from, const byte * end, 
int step, gp_file * file
+ byte data = *from;
+ 
+ from += step;
+-if (data != *from || from == end) {
++if (from >= end || data != *from) {
+ if (data >= 0xc0)
+ gp_fputc(0xc1, file);
+ } else {
+-- 
+2.40.1
+
diff -Nru 
ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch
 
ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch
--- 
ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch
  1970-01-01 01:00:00.0 +0100
+++ 
ghostscript-10.0.0~dfsg/debian/patches/0006-IJS-device-try-and-secure-the-IJS-server-startup.patch
  2023-09-29 14:22:09.0 +0200
@@ -0,0 +1,58 @@
+From: Ken Sharp 
+Date: Thu, 24 Aug 2023 15:24:35 +0100
+Subject: IJS device - try and secure the IJS server startup
+Origin: 
https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=8b0f20002536867bd73ff4552408a72597190cbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-43115
+
+Bug #707051 ""ijs" device can execute arbitrary commands"
+
+The problem is that the 'IJS' device needs to start the IJS server, and
+that is indeed an arbitrary command line. There is (apparently) no way
+to validate it. Indeed, this is covered quite clearly in the comments
+at the start of the source:
+
+ * WARNING: The ijs server can be selected on the gs command line
+ * which is a security risk, since any program can be run.
+
+Previously this used the awful LockSafetyParams hackery, which we
+abandoned some time ago because it simply couldn't be made secure (it
+was implemented in PostScript and was therefore vulnerable to PostScript
+programs).
+
+This commit prevents PostScript programs switching to the I

Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2

2023-09-29 Thread Salvatore Bonaccorso

Hi Yadd,

On Fri, Sep 29, 2023 at 05:37:25PM +0400, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org
> Control: affects -1 + src:lemonldap-ng
> 
> [ Reason ]
> Two new vulnerabilities have been dicovered and fixed in lemonldap-ng:
>  - an open redirection only when configuration is edited by hand and
>doesn't follow OIDC specifications
>  - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol:
>A little-know feature of OIDC allows the OpenID Provider to fetch the
>Authorization request parameters itself by indicating a request_uri
>parameter. This feature is now restricted to a white list using this
>patch
> 
> [ Impact ]
> One low and one medium security issue.
> 
> [ Tests ]
> Patches includes test updates
> 
> [ Risks ]
> Outside of test changes, patches are not so big and the test coverage
> provided by upstream is good, so risk is moderate.
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> - open redirection patch: just rejects requests with `redirect_uri` if
>   relying party configuration has no declared redirect URIs.
> - SSRF patch:
>   * add new configuration parameter to list authorized "request_uris"
>   * change the algorithm that manage request_uri parameter
> 
> Cheers,
> Xavier

> diff --git a/debian/NEWS b/debian/NEWS
> index b8955920b..5295a3cbb 100644
> --- a/debian/NEWS
> +++ b/debian/NEWS
> @@ -1,3 +1,13 @@
> +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium


bookworm?

(but that said I guess that can be considered minor if time is tight
to get the upload in, but as well disclaimer, not part of the release
team)

Regards,
Salvatore

Bug#1051466: bookworm-pu: package ovn/23.03.1-1~deb12u1

2023-09-19 Thread Salvatore Bonaccorso

Hi

(not a SRM here, but below some comments)

On Fri, Sep 08, 2023 at 01:32:05PM +0200, Frode Nordahl wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org
> 
> Dear Release Team,
> 
> We would like to upload the latest stable point release of ovn 23.03
> to bookworm-p-u. Stable release branches are maintained upstream with
> the intention of providing bug fixes only and no compatibility
> breakages, and with automated non-trivial CI jobs that also cover
> Debian and Ubuntu.
> 
> Debdiff attached. Packaging updated with gbp/salsa config for new
> bookworm stable branch and in-flight patches to fix an issue with
> unnecessary logging breaking one of the tests introduced in the point
> release.

Your debdiff did not make it to the list I think because of the size.

Two obervations: Can you please close #1043598 in the debian/changelog
as well as the update addresses CVE-2023-3153.

You would need first to make sure the fixes land in unstable unless
you plan to diverge and go to a new upstream version for another
branch. But make sure CVE-2023-3153 / #1043598 fix is included in
usntable as well.

Hope this helps,

Regards,
Salvatore

Bug#1052021: bookworm-pu: package nftables/1.0.6-2+deb12u2

2023-09-16 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: nftab...@packages.debian.org, Timo Sigurdsson 
, Arturo Borrero Gonzalez , 
car...@debian.org
Control: affects -1 + src:nftables

Dear stable release managers,

[ Reason ]
Timo Sigurdsson reported, after I released DSA 5492-1 for linux, that
in his case nftables rules won't be loaded anymore:

https://bugs.debian.org/1051592

This was tracked down with a Linux change, 0ebc1064e487 ("netfilter:
nf_tables: disallow rule addition to bound chain via
NFTA_RULE_CHAIN_ID"), which is to address CVE-2023-4147, but uncovered
an issue with nftables releases before v1.0.7 upstream. nftables is
generating incorrect bytecode, which is hit with this new kernel check
that rejects adding rules to bound chains.

Following https://lore.kernel.org/stable/ZP+bUpxJiFcmTWhy@calendula/
and further discussion on the Linux kernel mailinglists it looks this
has to be addressed in netfilter itself (arguably the change should
not break userspace, but see Florian Westphal in the thread).

[ Impact ]
Users which have such rules, running unpatched nftables but updated
the linux kernel due to address security fixes (and later to be
included in the point release as well) are left without loaded
nftables rules.

[ Tests ]
Explicit tests with the rules provided by Timo to verify they
correctly get loaded with updated nftables userland and the updated
kernel.

[ Risks ]
Pablo Neira Ayuso provided the series of commits required to address
the issue. They apply cleanly for the bookworm version.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
See above.

[ Other info ]
Unfortunately this will be needed as well for bullseye, but the
version of nftables there is substantial older, I have not yet
verified how the patches apply, but will need to be asked anyway in a
separate bullseye-pu update request.

Regards,
Salvatore
diff -Nru nftables-1.0.6/debian/changelog nftables-1.0.6/debian/changelog
--- nftables-1.0.6/debian/changelog 2023-06-20 16:55:52.0 +0200
+++ nftables-1.0.6/debian/changelog 2023-09-16 07:47:15.0 +0200
@@ -1,3 +1,13 @@
+nftables (1.0.6-2+deb12u2) bookworm; urgency=medium
+
+  * [136245a] Fix incorrect bytecode generation hit with new kernel check that
+rejects adding rules to bound chains (Closes: #1051592)
+- rule: add helper function to expand chain rules intoi commands
+- rule: expand standalone chain that contains rules
+- src: expand table command before evaluation
+
+ -- Salvatore Bonaccorso   Sat, 16 Sep 2023 07:47:15 +0200
+
 nftables (1.0.6-2+deb12u1) bookworm; urgency=medium
 
   * [7edf72e] d/patches: add 0001-debian-bug-1038724.patch (Closes: #1038724)
diff -Nru 
nftables-1.0.6/debian/patches/rule-add-helper-function-to-expand-chain-rules-into-.patch
 
nftables-1.0.6/debian/patches/rule-add-helper-function-to-expand-chain-rules-into-.patch
--- 
nftables-1.0.6/debian/patches/rule-add-helper-function-to-expand-chain-rules-into-.patch
1970-01-01 01:00:00.0 +0100
+++ 
nftables-1.0.6/debian/patches/rule-add-helper-function-to-expand-chain-rules-into-.patch
2023-09-16 07:47:15.0 +0200
@@ -0,0 +1,82 @@
+From 4e5b0a64227dde250f94bec45b3fb127d78b7fd2 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso 
+Date: Mon, 6 Feb 2023 15:28:40 +0100
+Subject: [PATCH 1/3,nft] rule: add helper function to expand chain rules intoi
+ commands
+
+[ upstream commit 784597a4ed63b9decb10d74fdb49a1b021e22728 ]
+
+This patch adds a helper function to expand chain rules into commands.
+This comes in preparation for the follow up patch.
+
+Signed-off-by: Pablo Neira Ayuso 
+---
+ src/rule.c | 39 ++-
+ 1 file changed, 22 insertions(+), 17 deletions(-)
+
+diff --git a/src/rule.c b/src/rule.c
+index 1402210acd8d..43c6520517ce 100644
+--- a/src/rule.c
 b/src/rule.c
+@@ -1310,13 +1310,31 @@ void cmd_add_loc(struct cmd *cmd, uint16_t offset, 
const struct location *loc)
+   cmd->num_attrs++;
+ }
+ 
++static void nft_cmd_expand_chain(struct chain *chain, struct list_head 
*new_cmds)
++{
++  struct rule *rule;
++  struct handle h;
++  struct cmd *new;
++
++  list_for_each_entry(rule, >rules, list) {
++  memset(, 0, sizeof(h));
++  handle_merge(, >handle);
++  if (chain->flags & CHAIN_F_BINDING) {
++  rule->handle.chain_id = chain->handle.chain_id;
++  rule->handle.chain.location = chain->location;
++  }
++  new = cmd_alloc(CMD_ADD, CMD_OBJ_RULE, ,
++  >location, rule_get(rule));
++  list_add_tail(>list, new_cmds);
++  }
++}
++
+ void nft_cm

Bug#1051937: bullseye-pu: package cairosvg/oldstable-new

2023-09-14 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cairo...@packages.debian.org, Joe Burmeister 
, car...@debian.org
Control: affects -1 + src:cairosvg

Dear SRM,

[ Reason ]
Triggered by a offlist-report from Joe Burmeister, cairosvg suffers
from a regression from the original fix upstream for CVE-2023-27586,
where embedded images using data URIs no longer work without the
unsafe flag. To fix the issue it would only be necessary to dissalow
loading of external files, but data URIs would be expected to still
work.

See:
- https://bugs.debian.org/1050643
- https://github.com/Kozea/CairoSVG/issues/383

[ Impact ]
Without using the unsafe flag, it is not possible to embed images
using data URIs.

[ Tests ]
Joe tested the updated package with a (non public) testcase.

[ Risks ]
Syncs up with upstream fixes after the original fix for
CVE-2023-27586.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Allow to handle data-URLs in safe mode as well, using a introduced
safe_fetch which fetches the content of a passed url if it's a data
URL and return an empty SVG otherwise.

[ Other info ]
None

Regards,
Salvatore
diff -Nru cairosvg-2.5.0/debian/changelog cairosvg-2.5.0/debian/changelog
--- cairosvg-2.5.0/debian/changelog 2023-03-23 20:51:51.0 +0100
+++ cairosvg-2.5.0/debian/changelog 2023-09-06 21:24:37.0 +0200
@@ -1,3 +1,10 @@
+cairosvg (2.5.0-1.1+deb11u2) bullseye; urgency=medium
+
+  * Non-maintainer upload.
+  * Handle data-URLs in safe mode (Closes: #1050643)
+
+ -- Salvatore Bonaccorso   Wed, 06 Sep 2023 21:24:37 +0200
+
 cairosvg (2.5.0-1.1+deb11u1) bullseye-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch 
cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch
--- cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch   
1970-01-01 01:00:00.0 +0100
+++ cairosvg-2.5.0/debian/patches/Handle-data-URLs-in-safe-mode.patch   
2023-09-06 21:24:37.0 +0200
@@ -0,0 +1,61 @@
+From: Guillaume Ayoub 
+Date: Tue, 18 Apr 2023 14:51:13 +0200
+Subject: Handle data-URLs in safe mode.
+Origin: 
https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d
+Bug: https://github.com/Kozea/CairoSVG/issues/383
+Bug-Debian: https://bugs.debian.org/1050643
+
+Fix #383.
+---
+ cairosvg/parser.py |  5 ++---
+ cairosvg/url.py| 11 +++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/cairosvg/parser.py b/cairosvg/parser.py
+index 61275f0a1073..06a65db5c0e2 100644
+--- a/cairosvg/parser.py
 b/cairosvg/parser.py
+@@ -14,7 +14,7 @@ from defusedxml import ElementTree
+ from . import css
+ from .features import match_features
+ from .helpers import flatten, pop_rotation, rotations
+-from .url import fetch, parse_url, read_url
++from .url import fetch, parse_url, read_url, safe_fetch
+ 
+ # 'display' is actually inherited but handled differently because some markers
+ # are part of a none-displaying group (see test painting-marker-07-f.svg)
+@@ -393,8 +393,7 @@ class Tree(Node):
+ 
+ # Don’t allow fetching external files unless explicitly asked for
+ if 'url_fetcher' not in kwargs and not unsafe:
+-self.url_fetcher = (
+-lambda *args, **kwargs: b'')
++self.url_fetcher = safe_fetch
+ 
+ self.xml_tree = tree
+ root = cssselect2.ElementWrapper.from_xml_root(tree)
+diff --git a/cairosvg/url.py b/cairosvg/url.py
+index b4a78eaf6645..7b184e6e74d9 100644
+--- a/cairosvg/url.py
 b/cairosvg/url.py
+@@ -84,6 +84,17 @@ def fetch(url, resource_type):
+ return urlopen(Request(url, headers=HTTP_HEADERS)).read()
+ 
+ 
++def safe_fetch(url, resource_type):
++"""Fetch the content of ``url`` only if it’s a data-URL.
++
++Otherwise, return an empty SVG.
++
++"""
++if url and url.startswith('data:'):
++return fetch(url, resource_type)
++return b''
++
++
+ def parse_url(url, base=None):
+ """Parse an URL.
+ 
+-- 
+2.40.1
+
diff -Nru cairosvg-2.5.0/debian/patches/series 
cairosvg-2.5.0/debian/patches/series
--- cairosvg-2.5.0/debian/patches/series2023-03-23 20:51:07.0 
+0100
+++ cairosvg-2.5.0/debian/patches/series2023-09-06 21:23:58.0 
+0200
@@ -1,3 +1,4 @@
 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch
 0002-Don-t-use-overlapping-groups-for-regular-expressions.patch
 Don-t-allow-fetching-external-files-unless-explicitl.patch
+Handle-data-URLs-in-safe-mode.patch

Bug#1051936: bookworm-pu: package cairosvg/2.5.2-1.1+deb12u1

2023-09-14 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: cairo...@packages.debian.org, Joe Burmeister 
, car...@debian.org
Control: affects -1 + src:cairosvg

Dear SRM,

[ Reason ]
Triggered by a offlist-report from Joe Burmeister, cairosvg suffers
from a regression from the original fix upstream for CVE-2023-27586,
where embedded images using data URIs no longer work without the
unsafe flag. To fix the issue it would only be necessary to dissalow
loading of external files, but data URIs would be expected to still
work.

See:
- https://bugs.debian.org/1050643
- https://github.com/Kozea/CairoSVG/issues/383

[ Impact ]
Without using the unsafe flag, it is not possible to embed images
using data URIs.

[ Tests ]
Joe tested the updated package with a (non public) testcase.

[ Risks ]
Syncs up with upstream fixes after the original fix for
CVE-2023-27586.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Allow to handle data-URLs in safe mode as well, using a introduced
safe_fetch which fetches the content of a passed url if it's a data
URL and return an empty SVG otherwise.

[ Other info ]
None

Regards,
Salvatore
diff -Nru cairosvg-2.5.2/debian/changelog cairosvg-2.5.2/debian/changelog
--- cairosvg-2.5.2/debian/changelog 2023-03-21 22:21:22.0 +0100
+++ cairosvg-2.5.2/debian/changelog 2023-09-06 21:20:16.0 +0200
@@ -1,3 +1,10 @@
+cairosvg (2.5.2-1.1+deb12u1) bookworm; urgency=medium
+
+  * Non-maintainer upload.
+  * Handle data-URLs in safe mode (Closes: #1050643)
+
+ -- Salvatore Bonaccorso   Wed, 06 Sep 2023 21:20:16 +0200
+
 cairosvg (2.5.2-1.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch 
cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch
--- cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch   
1970-01-01 01:00:00.0 +0100
+++ cairosvg-2.5.2/debian/patches/Handle-data-URLs-in-safe-mode.patch   
2023-09-06 21:20:16.0 +0200
@@ -0,0 +1,61 @@
+From: Guillaume Ayoub 
+Date: Tue, 18 Apr 2023 14:51:13 +0200
+Subject: Handle data-URLs in safe mode.
+Origin: 
https://github.com/Kozea/CairoSVG/commit/2cbe3066e604af67c31d6651aa3acafe4ae0749d
+Bug: https://github.com/Kozea/CairoSVG/issues/383
+Bug-Debian: https://bugs.debian.org/1050643
+
+Fix #383.
+---
+ cairosvg/parser.py |  5 ++---
+ cairosvg/url.py| 11 +++
+ 2 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/cairosvg/parser.py b/cairosvg/parser.py
+index 61275f0a1073..06a65db5c0e2 100644
+--- a/cairosvg/parser.py
 b/cairosvg/parser.py
+@@ -14,7 +14,7 @@ from defusedxml import ElementTree
+ from . import css
+ from .features import match_features
+ from .helpers import flatten, pop_rotation, rotations
+-from .url import fetch, parse_url, read_url
++from .url import fetch, parse_url, read_url, safe_fetch
+ 
+ # 'display' is actually inherited but handled differently because some markers
+ # are part of a none-displaying group (see test painting-marker-07-f.svg)
+@@ -393,8 +393,7 @@ class Tree(Node):
+ 
+ # Don’t allow fetching external files unless explicitly asked for
+ if 'url_fetcher' not in kwargs and not unsafe:
+-self.url_fetcher = (
+-lambda *args, **kwargs: b'')
++self.url_fetcher = safe_fetch
+ 
+ self.xml_tree = tree
+ root = cssselect2.ElementWrapper.from_xml_root(tree)
+diff --git a/cairosvg/url.py b/cairosvg/url.py
+index b4a78eaf6645..7b184e6e74d9 100644
+--- a/cairosvg/url.py
 b/cairosvg/url.py
+@@ -84,6 +84,17 @@ def fetch(url, resource_type):
+ return urlopen(Request(url, headers=HTTP_HEADERS)).read()
+ 
+ 
++def safe_fetch(url, resource_type):
++"""Fetch the content of ``url`` only if it’s a data-URL.
++
++Otherwise, return an empty SVG.
++
++"""
++if url and url.startswith('data:'):
++return fetch(url, resource_type)
++return b''
++
++
+ def parse_url(url, base=None):
+ """Parse an URL.
+ 
+-- 
+2.40.1
+
diff -Nru cairosvg-2.5.2/debian/patches/series 
cairosvg-2.5.2/debian/patches/series
--- cairosvg-2.5.2/debian/patches/series2023-03-21 22:20:08.0 
+0100
+++ cairosvg-2.5.2/debian/patches/series2023-09-06 21:19:48.0 
+0200
@@ -1,2 +1,3 @@
 0001-Remove-pytest-options-for-plugins-not-packaged-for-D.patch
 Don-t-allow-fetching-external-files-unless-explicitl.patch
+Handle-data-URLs-in-safe-mode.patch

Uploading linux (6.5.3-1)

2023-09-13 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.5.3-1 later today to unstable.
The new upload would consist of a new upstream version switching to
the 6.5.y series in unstable. An ABi bump is included.

The new upload fixes CVE-2023-4623 and CVE-2023-25775.

Apart from switching from 6.4.y to 6.5.y series there are additional
changes covering:

  * Enable KFENCE support (not enabled by default) (Closes: #1025845)
  * net/xdp: Enable XDP_SOCKETS_DIAG as module (Closes: #1051455)
  * udeb: Make MPT modules optional in scsi-modules (fixes FTBFS on s390x)
(Closes: #1051249)
  * Refresh "radeon, amdgpu: Firmware is required for DRM and KMS on R600
onward"
  * Set ABI to 1
  * [rt] Update to 6.5.2-rt8
  * [arm64] Add reset-rzg2l-usbphy-ctrl to usb-modules udeb in order to enable
USB support on Renesas RZ/G2L-SMARC boards.
  * [arm64,armhf] drivers/hwspinlock: Enable CONFIG_HWSPINLOCK
  * [arm64] Add support for Lenovo ThinkPad X13s: enable as modules
SC_DISPCC_8280XP, SC_GCC_8280XP, SC_GPUCC_8280XP, QCOM_SPMI_ADC5,
INTERCONNECT_QCOM_OSM_L3, INTERCONNECT_QCOM_SC8280XP, LEDS_QCOM_LPG,
QCOM_IPCC, QCOM_FASTRPC, NVMEM_SPMI_SDAM, PHY_QCOM_EDP, PHY_QCOM_QMP_PCIE,
PHY_QCOM_USB_SNPS_FEMTO_V2, PINCTRL_SC8280XP, PINCTRL_SC8280XP_LPASS_LPI,
PINCTRL_LPASS_LPI, POWER_RESET_QCOM_PON, BATTERY_QCOM_BATTMGR,
QCOM_Q6V5_ADSP, QCOM_Q6V5_PAS, QCOM_Q6V5_WCSS, QCOM_SYSMON, QCOM_LLCC,
QCOM_OCMEM, QCOM_PMIC_GLINK, QCOM_STATS, QCOM_APR, QCOM_ICC_BWMON,
SPI_QCOM_GENI, TYPEC_MUX_GPIO_SBU, QRTR_SMD, SND_SOC_WCD938X_SDW,
SND_SOC_LPASS_WSA_MACRO, SND_SOC_LPASS_VA_MACRO, SND_SOC_LPASS_RX_MACRO,
SND_SOC_LPASS_TX_MACRO, SND_SOC_QDSP6
(Thanks Steve Capper!)
  * [arm64] Add Thinkpad X13s modules to udebs
  * drivers/char/hw_random: Change HW_RANDOM from module to built-in
(Closes: #1041007)
  * drivers/char/tpm: Do not explicitly set HW_RANDOM_TPM
  * [arm64, cloud, x86] drivers/char/tpm: Do not explicitly enable TCG_TPM
  * [arm*,ppc64*,sparc64,s390x] drivers/char/hw_random: Prevent some HW Random
Number Generator drivers from being built-in

And the following already included in experimental uploads up to
6.5.1-1~exp1:

  * [riscv64] enable cpufreq support for Starfive JH7110: enable CPUFREQ_DT,
MFD_AXP20X_I2C and REGULATOR_AXP20X as modules, and CPUFREQ_DT_PLATDEV as
built-in.
  * [armel/rpi,armhf,arm64] enable CPUFREQ_DT_PLATDEV as built-in, as it does
not get autoloaded as a module (Closes: #1050587)
  * Use pytest to test some of the code.
  * Re-add /usr/include/drm and /usr/include/scsi to linux-libc-dev; they
don't longer conflict with other packages. (closes: #1050368)
  * Properly split host and build flags. (closes: #1050991)
  * [x86] drivers/hwtracing/intel_th: Enable INTEL_TH_ACPI Intel Trace Hub
ACPI controller as module (Closes: #1050342)
  * [amd64] arch/x86/ras: Enable RAS_CEC (Correctable Errors Collector)
(Closes: #1050940)
  * [arm64] sound/pci: Enable SND_CMIPCI as a module
  * linux-image: bug: Update taint list and use upstream descriptions
  * [rt] Refresh "serial: 8250: implement non-BKL console"
  * [amd64] mm: Enable MEMORY_HOTPLUG_DEFAULT_ONLINE: Enable Online the newly
added memory blocks by default (Closes: #1049901)
  * [hppa] Add build-dependency on binutils-dev to get bfd.h and thus allow
disassembly of jitted programs in bpftool
  * [riscv64] enable CONFIG_ACPI
  * [riscv64] improve Starfive JH7110 support: enable CRYPTO_DEV_JH7110,
SND_SOC, SND_SOC_STARFIVE and SND_SOC_JH7110_TDM as modules
  * [x86] drivers/platform/x86/lenovo-ymc: Enable LENOVO_YMC as module
  * [arm64] Improve support for Allwinner H6 and affiliated SoCs
(Closes: #1038986)
- drivers/cpufreq: Enable ARM_ALLWINNER_SUN50I_CPUFREQ_NVMEM as module
- drivers/iommu: Enable SUN50I_IOMMU
- drivers/media/rc: Enable IR_SUNXI as module
- drivers/phy/allwinner: Enable PHY_SUN50I_USB3 as module
- sound/soc/sunxi: Enable SND_SUN50I_DMIC as module

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: Releasing linux/6.1.52-1 bookworm-security update without armel build, Image size problems

2023-09-09 Thread Salvatore Bonaccorso

Hi,

On Sat, Sep 09, 2023 at 11:49:11AM +0300, Adrian Bunk wrote:
> On Sat, Sep 09, 2023 at 10:15:59AM +0200, Salvatore Bonaccorso wrote:
> >...
> > - Relese the DSA without armel builds. This is not optimal and for the 
> > point release
> >   we need to have to have all builds, but this gives people who still are 
> > interested
> >   in this architecture to step up and propose a fix for the problem, 
> > otherwise then
> >   disable the image size check, and then effectively dropping some support.
> >...
> > armel people, can you have ideally look at it ASAP on the comments
> > please, I would not like to delay the DSA for linux on
> > bookworm-security too much.
> 
> Releasing this DSA without armel and sorting out the issue for the point 
> release sounds like the best option to me.

FWIW, following Ben's aproach for unstable, here is my proposed change
for bookworm in the near-term:

https://salsa.debian.org/kernel-team/linux/-/merge_requests/844

I have verified by cross-building that the image size goes down to

Image size 2644124/2729712, using 96.86%.  Image fits.  Continuing.

which would be sufficient so far.

So we can at least include the above for the point release and
releasing the DSA earlier without the armel builds.

Thank you!

Regards,
Salvatore

Releasing linux/6.1.52-1 bookworm-security update without armel build, Image size problems

2023-09-09 Thread Salvatore Bonaccorso

Hi all,

We have problem with the image size of armel builds in bookworm. There
is a pending bookworm-security linux update pending which is currently
blocked due to armel FTBFS due to the image size increase:

https://people.debian.org/~carnil/buildd-logs/linux/linux_6.1.52-1_armel-2023-09-07T08:53:41Z.gz

debian/bin/buildcheck.py debian/build/build_armel_none_marvell armel none
marvell
Can't read ABI reference. ABI not checked!
Image size 2753652/2729712, using 100.88%. Too large. Refusing to continue.
make[2]: *** [debian/rules.real:169: debian/stamps/build_armel_none_marvell]
Error 1
make[2]: Leaving directory '/<>'
make[1]: *** [debian/rules.gen:1615: build-arch_armel_none_marvell_real_image]
Error 2
make[1]: Leaving directory '/<>'
make: *** [debian/rules:39: build-arch] Error 2
dpkg-buildpackage: error: debian/rules binary-arch subprocess returned exit
status 2

In fact we are already too narrow to 100% in any case, but there was a
bump between 6.1.41 and 6.1.42 upstream AFAICS:

6.1.52-1 Image size 2751596/2729712, using 100.80%. Too large. Refusing to
continue.
6.1.51-1 Image size 2752212/2729712, using 100.82%. Too large. Refusing to
continue.
6.1.47-1 Image size 2752676/2729712, using 100.84%. Too large. Refusing to
continue.
6.1.45-1 Image size 2751292/2729712, using 100.79%. Too large. Refusing to
continue.
6.1.43-1 Image size 2751348/2729712, using 100.79%. Too large. Refusing to
continue.
6.1.42-1 Image size 2752924/2729712, using 100.85%. Too large. Refusing to
continue.
6.1.41-1 Image size 2701348/2729712, using 98.96%. Image fits. Continuing.
6.1.40-1 Image size 2703956/2729712, using 99.06%. Under 1% space in
UNRELEASED. Continuing.
6.1.38-1 Image size 2703076/2729712, using 99.02%. Under 1% space in bookworm.
Continuing.

I doupt anybody is sensibly using armel nowdays under bookworm, so my proposed
course of action for unblock the bookworm-security update is:

Either

- ignore the image size and implicitly drop support for devices which would
break
due to size constraints, the current upper limit is adjusted for the
following:

# Buffalo Linkstation LS-WSXL/WXL/WVL (from stock kernel): 2729776 - 64 =
2729712

or:

- Relese the DSA without armel builds. This is not optimal and for the point
release
we need to have to have all builds, but this gives people who still are
interested
in this architecture to step up and propose a fix for the problem, otherwise
then
disable the image size check, and then effectively dropping some support.

Attached is the result of bloat-o-meter script between 6.1.41 and 6.1.42.

I might put me in a bad spot, but should have been support for armel been
dropped earlier and should we do it for trixie following the same done for
mipsel?

Note that the last time the problem arised already earlier in
experimental and Ben workarounded it there with
https://salsa.debian.org/kernel-team/linux/-/commit/9dfe6d33a4fd220394228b30cbbfdb3b444d36ec
We probably can do that as well here. 60443c88f3a8 ("kallsyms: Improve
the performance of kallsyms_lookup_name()") was in fact backported to
6.1.42. So this is next I would try and disable MPTCP and
FUNCTION_TRACER. But the problem with armel will remain.

armel people, can you have ideally look at it ASAP on the comments
please, I would not like to delay the DSA for linux on
bookworm-security too much.

Thanks for having a look,

Regards,
Salvatore
add/remove: 7/6 grow/shrink: 50/14 up/down: 3772/-2456 (1316)
Function old new delta
check_max_stack_depth_subprog - 720+720
psi_rtpoll_worker - 648+648
update_triggers- 504+504
kallsyms_lookup_names.constprop- 264+264
do_check_common 9892 10068+176
__mark_chain_precision 20082148+140
psi_trigger_create 564 684+120
dquot_writeback_dquots 428 548+120
psi_trigger_destroy 344 448+104
psi_schedule_rtpoll_work - 88 +88
__check_func_call880 968 +88
collect_percpu_times 368 452 +84
is_callback_calling_function - 64 +64
list_add22082256 +48
__inet_hash 436 484 +48
request_key_and_link14041448 +44
kvmalloc_array - 40 +40
bpf_lru_pop_free 708 748 +40
list_add_tail 22682304 +36
ip_send_unicast_reply784 820 +36
psi_avgs_work180 212 +32
bpf_check 10812 10844 +32

Uploading linux (6.4.13-1)

2023-08-31 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.4.13-1 later today.

It consists of importing as usual the new stable series up to 6.4.13,
and includes fixes for the following known CVEs: CVE-2023-20588,
CVE-2023-3772, CVE-2023-3773 and CVE-2023-4569.

The new upstream imports address as well #1042543 and #1050622.

An ABI bump is included for this update.

There are some other packaging packages apart of the stable imports
pending with this upload:

   * Bump ABI to 4
   * [arm64] Enable support for Renesas RZ/G2L-SMARC. Set ARCH_R9A07G044 for SoC
 support and enable RESET_RZG2L_USBPHY_CTRL as module for USB2.
 (Closes: #1049346)

Regards,
Salvatore


signature.asc
Description: PGP signature

Uploading linux (6.4.11-1)

2023-08-17 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.4.11-1 later today.

It consists of importing as usual the new stable series 6.4.5 up to
6.4.11 and is covering the following known CVEs: CVE-2023-1206,
CVE-2023-4004, CVE-2023-4128, CVE-2023-4147, CVE-2023-4155,
CVE-2023-4194, CVE-2023-4273, CVE-2023-20588 and CVE-2023-34319.

The new upstream version import addresses as well #1042540 and
#1039092.

An ABI bump is included for this update.

There are some other packaging packages apart of the stable imports
pending with this upload:

  * [x86] drivers/platform/x86/intel/int3472: Enable INTEL_SKL_INT3472 as
module (Closes: #1038385)
  * Bump ABI to 3
  * [rt] Drop "posix-timers: Ensure timer ID search-loop limit is valid"
(applied upstream)
  * [rt] Update to 6.4.6-rt8
  * [rt] Drop "locking/rtmutex: Fix task->pi_waiters integrity" (applied
upstream)

Regards,
Salvatore


signature.asc
Description: PGP signature

Re: linux image for 12.2?

2023-08-10 Thread Salvatore Bonaccorso

Hi,

On Tue, Aug 08, 2023 at 06:12:56PM +0100, Adam D. Barratt wrote:
> On Tue, 2023-08-08 at 11:53 -0500, Matt Zagrabelny wrote:
> > Greetings Debian Release Team,
> > 
> > Thank you for your service to Debian users, it is appreciated!
> > 
> > Are there plans to update the linux kernel for the 12.2 point
> > release?
> > 
> > I'm hitting a bug that is fixed (commit 3de4d22cc9ac7) in 6.1.43 and
> > am hoping that the next point release will include that kernel.
> > 
> 
> There's basically always a kernel update in every point release, but
> the specific version and any additional patches included is up to the
> kernel maintainers; adding the -kernel list to CC.

Yes it is planned to rebase linux to at least 6.1.45 or later for the
next bookworm point release.

Regards,
Salvatore

Bug#1043270: bullseye-pu: package autofs/5.1.7-1+deb11u2

2023-08-08 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: aut...@packages.debian.org, Mike Gabriel , 
car...@debian.org
Control: affects -1 + src:autofs

Dear SRMs,

[ Reason ]
A regression was noticed in autofs from buster to versions in the
upper suites. After changes upstream related to fix NFS mounts from
IPv6, regressions with delaying mounts were noticed when having
dualstacked server, client though while beeing in a IPv6 capable
subnet, equipped only with IPv4 address (and IPv6 link local
addresses). It was initially reported at

https://www.spinics.net/lists/autofs/msg02643.html

tracking down the issue to missing checks for reachability when
calculating the proximity. 

If an interface doesn't have an address of the family of the target
host, or the interface address is the IPv6 link local address, or
the target host address is the IPv6 link local address then don't
add it to the list of hosts to probe.

[ Impact ]
Getting noticable delays in automounts in affected configurations.

[ Tests ]
Manual test with affected configuration and confirming back to
upstream (see thread).

[ Risks ]
Upstream provided patch for the issue which should involve minimal
risk to apply back to the affected versions.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
>From https://www.spinics.net/lists/autofs/msg02668.html 

- use correct reference for IN6 macro call

> While the usage isn't strickly wrong it's also not correct and it
> passes compiler checks but it doesn't match the usage within the
> macro it's passed to.
> 
> Change it to match the IN6_* macro definition to reduce the potential
> for confusion.

- dont probe interface that cant send packet

See above in the reason paragraph.

[ Other info ]
For the debdiff: debdiff is generated against the current version
which is in bullseye-proposed-updates as this was already acked in
#1040950. If wanted I can additionally generate the debdiff against
5.1.7-1.

Regards,
Salvatore
diff -Nru autofs-5.1.7/debian/changelog autofs-5.1.7/debian/changelog
--- autofs-5.1.7/debian/changelog   2023-07-10 19:01:17.0 +0200
+++ autofs-5.1.7/debian/changelog   2023-08-08 10:31:29.0 +0200
@@ -1,3 +1,10 @@
+autofs (5.1.7-1+deb11u2) bullseye; urgency=medium
+
+  * use correct reference for IN6 macro call
+  * dont probe interface that cant send packet (Closes: #1041051)
+
+ -- Salvatore Bonaccorso   Tue, 08 Aug 2023 10:31:29 +0200
+
 autofs (5.1.7-1+deb11u1) bullseye; urgency=medium
 
   * debian/patches:
diff -Nru 
autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch 
autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch
--- autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch   
1970-01-01 01:00:00.0 +0100
+++ autofs-5.1.7/debian/patches/dont-probe-interface-that-cant-send-pac.patch   
2023-08-08 10:30:32.0 +0200
@@ -0,0 +1,160 @@
+From: Ian Kent 
+Date: Thu, 13 Jul 2023 10:44:49 +0800
+Subject: autofs-5.1.8 - dont probe interface that cant send packet
+Origin: https://www.spinics.net/lists/autofs/msg02667.html
+Bug-Debian: https://bugs.debian.org/1041051
+
+When calculating the proximity add checks for basic reachability.
+
+If an interface doesn't have an address of the family of the target
+host, or the interface address is the IPv6 link local address, or
+the target host address is the IPv6 link local address then don't
+add it to the list of hosts to probe.
+
+Reported-by: Salvatore Bonaccorso 
+Tested-by: Salvatore Bonaccorso 
+Cc: Goldwyn Rodrigues 
+Cc: Mike Gabriel 
+Signed-off-by: Ian Kent 
+---
+ CHANGELOG|  1 +
+ lib/parse_subs.c | 36 +++-
+ modules/replicated.c | 19 +++
+ 3 files changed, 47 insertions(+), 9 deletions(-)
+
+diff --git a/lib/parse_subs.c b/lib/parse_subs.c
+index 0ee00d517718..3c95996eaf02 100644
+--- a/lib/parse_subs.c
 b/lib/parse_subs.c
+@@ -218,7 +218,7 @@ unsigned int get_proximity(struct sockaddr *host_addr)
+   int addr_len;
+   char buf[MAX_ERR_BUF];
+   uint32_t mask, ha, ia, *mask6, *ha6, *ia6;
+-  int ret;
++  int ret, at_least_one;
+ 
+   addr = NULL;
+   addr6 = NULL;
+@@ -228,6 +228,7 @@ unsigned int get_proximity(struct sockaddr *host_addr)
+   ha6 = NULL;
+   ia6 = NULL;
+   ha = 0;
++  at_least_one = 0;
+ 
+   switch (host_addr->sa_family) {
+   case AF_INET:
+@@ -245,6 +246,14 @@ unsigned int get_proximity(struct sockaddr *host_addr)
+   hst6_addr = (struct in6_addr *) >sin6_addr;
+   ha6 = _addr->s6_addr32[0];
+   addr_len = sizeof(*hst6_addr);
++
++  /* The link-local address a

Bug#1043269: bookworm-pu: package autofs/5.1.8-2+deb12u2

2023-08-08 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: aut...@packages.debian.org, Mike Gabriel , 
car...@debian.org
Control: affects -1 + src:autofs

Dear SRMs,

[ Reason ]
A regression was noticed in autofs from buster to versions in the
upper suites. After changes upstream related to fix NFS mounts from
IPv6, regressions with delaying mounts were noticed when having
dualstacked server, client though while beeing in a IPv6 capable
subnet, equipped only with IPv4 address (and IPv6 link local
addresses). It was initially reported at

https://www.spinics.net/lists/autofs/msg02643.html

tracking down the issue to missing checks for reachability when
calculating the proximity. 

If an interface doesn't have an address of the family of the target
host, or the interface address is the IPv6 link local address, or
the target host address is the IPv6 link local address then don't
add it to the list of hosts to probe.

[ Impact ]
Getting noticable delays in automounts in affected configurations.

[ Tests ]
Manual test with affected configuration and confirming back to
upstream (see thread).

[ Risks ]
Upstream provided patch for the issue which should involve minimal
risk to apply back to the affected versions.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
>From https://www.spinics.net/lists/autofs/msg02668.html 

- use correct reference for IN6 macro call

> While the usage isn't strickly wrong it's also not correct and it
> passes compiler checks but it doesn't match the usage within the
> macro it's passed to.
> 
> Change it to match the IN6_* macro definition to reduce the potential
> for confusion.

- dont probe interface that cant send packet

See above in the reason paragraph.

[ Other info ]
None.

Regards,
Salvatore
diff -Nru autofs-5.1.8/debian/changelog autofs-5.1.8/debian/changelog
--- autofs-5.1.8/debian/changelog   2023-07-05 11:56:29.0 +0200
+++ autofs-5.1.8/debian/changelog   2023-08-08 10:27:23.0 +0200
@@ -1,3 +1,10 @@
+autofs (5.1.8-2+deb12u2) bookworm; urgency=medium
+
+  * use correct reference for IN6 macro call
+  * dont probe interface that cant send packet (Closes: #1041051)
+
+ -- Salvatore Bonaccorso   Tue, 08 Aug 2023 10:27:23 +0200
+
 autofs (5.1.8-2+deb12u1) bookworm; urgency=medium
 
   * debian/patches:
diff -Nru 
autofs-5.1.8/debian/patches/dont-probe-interface-that-cant-send-pac.patch 
autofs-5.1.8/debian/patches/dont-probe-interface-that-cant-send-pac.patch
--- autofs-5.1.8/debian/patches/dont-probe-interface-that-cant-send-pac.patch   
1970-01-01 01:00:00.0 +0100
+++ autofs-5.1.8/debian/patches/dont-probe-interface-that-cant-send-pac.patch   
2023-08-08 10:25:44.0 +0200
@@ -0,0 +1,160 @@
+From: Ian Kent 
+Date: Thu, 13 Jul 2023 10:44:49 +0800
+Subject: autofs-5.1.8 - dont probe interface that cant send packet
+Origin: https://www.spinics.net/lists/autofs/msg02667.html
+Bug-Debian: https://bugs.debian.org/1041051
+
+When calculating the proximity add checks for basic reachability.
+
+If an interface doesn't have an address of the family of the target
+host, or the interface address is the IPv6 link local address, or
+the target host address is the IPv6 link local address then don't
+add it to the list of hosts to probe.
+
+Reported-by: Salvatore Bonaccorso 
+Tested-by: Salvatore Bonaccorso 
+Cc: Goldwyn Rodrigues 
+Cc: Mike Gabriel 
+Signed-off-by: Ian Kent 
+---
+ CHANGELOG|  1 +
+ lib/parse_subs.c | 36 +++-
+ modules/replicated.c | 19 +++
+ 3 files changed, 47 insertions(+), 9 deletions(-)
+
+diff --git a/lib/parse_subs.c b/lib/parse_subs.c
+index 0ee00d517718..3c95996eaf02 100644
+--- a/lib/parse_subs.c
 b/lib/parse_subs.c
+@@ -218,7 +218,7 @@ unsigned int get_proximity(struct sockaddr *host_addr)
+   int addr_len;
+   char buf[MAX_ERR_BUF];
+   uint32_t mask, ha, ia, *mask6, *ha6, *ia6;
+-  int ret;
++  int ret, at_least_one;
+ 
+   addr = NULL;
+   addr6 = NULL;
+@@ -228,6 +228,7 @@ unsigned int get_proximity(struct sockaddr *host_addr)
+   ha6 = NULL;
+   ia6 = NULL;
+   ha = 0;
++  at_least_one = 0;
+ 
+   switch (host_addr->sa_family) {
+   case AF_INET:
+@@ -245,6 +246,14 @@ unsigned int get_proximity(struct sockaddr *host_addr)
+   hst6_addr = (struct in6_addr *) >sin6_addr;
+   ha6 = _addr->s6_addr32[0];
+   addr_len = sizeof(*hst6_addr);
++
++  /* The link-local address always seems to be a problem so
++   * ignore it when trying to work out if the address we have
++   * is reachable.
++   */
++  if (I

Uploading linux (6.4.4-2)

2023-07-29 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.4.4-2 later today. The rebase
to a later 6.4.y will follow. The update consists of adding kernel
side mitigation for CVE-2023-20593 (Zenbleed) and fixes for
CVE-2023-3776 and CVE-2023-3611.

No ABI bump is done.

Additionally there is a packaging change as follows:

   * [sh4] Add i2c-modules udeb for sh7785lcr flavor

Regards,
Salvatore


signature.asc
Description: PGP signature

Uploading linux (6.4.4-1)

2023-07-22 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.4.4-1 later the upcoming days
to unstable. This is quite unfortunate as i wanted to have the
security fixes from 6.3.11-1 for a while now in unstable, but
transition is blocked due #1040178.

The new upload would consist of a new upstream version switching to
the 6.4.y series in unstable. An ABi bump is included.

Prominently the new version will finally fix CVE-2023-3269 (StackRot,
cf. DSA-5448-1), and as well CVE-2023-31248 and CVE-2023-35001 in
nf_tables.

Apart from switching from 6.3.y to 6.4.y series there are additional
changes covering:

  * [riscv64] enable CONFIG_SND_HDA_INTEL as module
  * Compile with gcc-13 on all architectures
  * [rt] Refresh "serial: 8250: implement non-BKL console"
  * kernel/trace: Enable FPROBE
  * d/rules.real: Fix CROSS_COMPILE definition for hppa native build
(regression in 6.4~rc7-1~exp1)
  * Include kbuild package into ABI. (closes: #1040178)
  * [powerpc,riscv64,s390x] Enable DEBUG_INFO_BTF.
  * [riscv64] Enable devices added in 6.4 for StarFive JH7110 RISC-V SoC:
SENSORS_SFCTEMP, MMC_DW, MMC_DW_STARFIVE and STARFIVE_WATCHDOG.
  * [hppa] Allow up to 16 CPUs with 32-bit kernel
  * [hppa] Build some more fbdev graphic card drivers as modules
  * Enable all RTW88 variants (USB + SDIO). (Closes: #1038409)
  * [rt] Update to 6.4-rt6
  * [x86] drivers/platform/x86/hp: Enable X86_PLATFORM_DRIVERS_HP
(Closes: #1038799)
  * mm: Enable Multi-Gen LRU implementation (by default) (Closes: #1030617)
  * linux-perf: Add libtraceevent-dev to Build-Depends (fixes FTBFS on several
architectures)
  * linux-image: Define CROSS_COMPILE and CROSS_COMPILE_COMPAT more consistently
  * [hppa] linux-headers: Fix toolchain dependencies
  * [hppa] Make cross-builds work
  * [m68k] Fix invalid .section syntax (fixes FTBFS)
  * d/rules.real: Also remove executable bit from dtbo files
  * [mips*]: Enable more drivers for boston
  * [mips*]: Install dtbs for mipsel and mips64el
  * linux-perf: Update build rules and dependencies for change to
demangling
  * linux-perf: Build C++ code with Debian standard compiler flags

Having 6.3.11-1 into testing would really have been preferred but I understand
people do not want to have #1040178 exposed, so let's try to move ahead with
the 6.4.y series.

Ben and Bastian, let me know loudly if you disagree on the plan to upload
6.4.4-1 for unstable.

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#1040818: bookworm-pu: package libxml2/2.9.14+dfsg-1.3~deb12u1

2023-07-10 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: libx...@packages.debian.org, car...@debian.org
Control: affects -1 + src:libxml2

Hi stable release managers,

[ Reason ]
libxml2 in bookworm and older is affected by CVE-2022-2309.
The issue does not warrant a DSA, so I prepared an update to be
included in the next point release.

[ Impact ]
CVE-2022-2309 remains open for bookworm.

[ Tests ]
None specifically.

[ Risks ]
The two commits are isolated.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
The two commits from upstream do reset ctxt->nsNr to 0 in xmlCtxtReset
(the original report) and as well in htmlCtxtReset to address the
issue in libxml2.

[ Other info ]
None.

Thanks for considering accepting the update as well for bookworm. I'm
aiming as well to do the same for bullseye-pu, but this has not been
done yet.

Regards,
Salvatore
diff -Nru libxml2-2.9.14+dfsg/debian/changelog 
libxml2-2.9.14+dfsg/debian/changelog
--- libxml2-2.9.14+dfsg/debian/changelog2023-04-15 16:25:06.0 
+0200
+++ libxml2-2.9.14+dfsg/debian/changelog2023-07-10 21:58:07.0 
+0200
@@ -1,3 +1,17 @@
+libxml2 (2.9.14+dfsg-1.3~deb12u1) bookworm; urgency=medium
+
+  * Rebuild for bookworm
+
+ -- Salvatore Bonaccorso   Mon, 10 Jul 2023 21:58:07 +0200
+
+libxml2 (2.9.14+dfsg-1.3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Reset nsNr in xmlCtxtReset (CVE-2022-2309) (Closes: #1039991)
+  * Also reset nsNr in htmlCtxtReset (CVE-2022-2309) (Closes: #1039991)
+
+ -- Salvatore Bonaccorso   Sat, 08 Jul 2023 21:18:29 +0200
+
 libxml2 (2.9.14+dfsg-1.2) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru 
libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch 
libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch
--- libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch   
1970-01-01 01:00:00.0 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/Also-reset-nsNr-in-htmlCtxtReset.patch   
2023-07-10 21:58:07.0 +0200
@@ -0,0 +1,27 @@
+From: Nick Wellnhofer 
+Date: Thu, 28 Jul 2022 21:35:17 +0200
+Subject: Also reset nsNr in htmlCtxtReset
+origin: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/a82ea25fc83f563c574ddb863d6c17d9c5abdbd2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2309
+Bug-Debian: https://bugs.debian.org/1039991
+
+---
+ HTMLparser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/HTMLparser.c b/HTMLparser.c
+index 9079fa8aa52d..1520663ba2af 100644
+--- a/HTMLparser.c
 b/HTMLparser.c
+@@ -6743,6 +6743,8 @@ htmlCtxtReset(htmlParserCtxtPtr ctxt)
+ ctxt->nameNr = 0;
+ ctxt->name = NULL;
+ 
++ctxt->nsNr = 0;
++
+ DICT_FREE(ctxt->version);
+ ctxt->version = NULL;
+ DICT_FREE(ctxt->encoding);
+-- 
+2.40.1
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch 
libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch
--- libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch 
1970-01-01 01:00:00.0 +0100
+++ libxml2-2.9.14+dfsg/debian/patches/Reset-nsNr-in-xmlCtxtReset.patch 
2023-07-10 21:58:07.0 +0200
@@ -0,0 +1,27 @@
+From: Nick Wellnhofer 
+Date: Mon, 18 Jul 2022 20:59:45 +0200
+Subject: Reset nsNr in xmlCtxtReset
+origin: 
https://gitlab.gnome.org/GNOME/libxml2/-/commit/5930fe01963136ab92125feec0c6204d9c9225dc
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-2309
+Bug-Debian: https://bugs.debian.org/1039991
+
+---
+ parser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/parser.c b/parser.c
+index d278638dd6d4..e660b0a7d499 100644
+--- a/parser.c
 b/parser.c
+@@ -14820,6 +14820,8 @@ xmlCtxtReset(xmlParserCtxtPtr ctxt)
+ ctxt->nameNr = 0;
+ ctxt->name = NULL;
+ 
++ctxt->nsNr = 0;
++
+ DICT_FREE(ctxt->version);
+ ctxt->version = NULL;
+ DICT_FREE(ctxt->encoding);
+-- 
+2.40.1
+
diff -Nru libxml2-2.9.14+dfsg/debian/patches/series 
libxml2-2.9.14+dfsg/debian/patches/series
--- libxml2-2.9.14+dfsg/debian/patches/series   2023-04-15 16:25:06.0 
+0200
+++ libxml2-2.9.14+dfsg/debian/patches/series   2023-07-10 21:58:07.0 
+0200
@@ -6,3 +6,5 @@
 schemas-Fix-null-pointer-deref-in-xmlSchemaCheckCOSS.patch
 CVE-2023-28484-Fix-null-deref-in-xmlSchemaFixupCompl.patch
 CVE-2023-29469-Hashing-of-empty-dict-strings-isn-t-d.patch
+Reset-nsNr-in-xmlCtxtReset.patch
+Also-reset-nsNr-in-htmlCtxtReset.patch

Uploading linux (6.3.10-1)

2023-06-30 Thread Salvatore Bonaccorso

Hi

I would like to upload linux version 6.3.10-1 later the upcoming days
to unstable.

It consists of importing as usual the new stable series 6.3.8 up to
6.3.10 and is covering as well CVE-2023-2156 and CVE-2023-3390. 

An ABI bump is included for this update. 

There are some other packaging packages apart of the stable imports
pending with this upload:

   * Ignore ABI changes for xfrm_bpf_md_dst (only for use in xfrm subsystem)
   * [amd64,arm64] drivers/virtio: Enable VIRTIO_MEM as module (Closes: 
#1038665)
   * Bump ABI to 2
   * Add pkg.linux.mintools profile for building minimal userland tools
   * d/b/test-patches: Build linux-{kbuild,bootwrapper} packages
 (Closes: #871216, #1035359)
   * [hppa] Allow up to 16 CPUs with 32-bit kernel

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#1038390: bookworm-pu: package vte2.91/0.70.6-1~deb12u1

2023-06-17 Thread Salvatore Bonaccorso

Hi Simon,

On Sat, Jun 17, 2023 at 03:22:21PM +0100, Simon McVittie wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: vte2...@packages.debian.org, debian-b...@lists.debian.org, 
> t...@security.debian.org
> Control: affects -1 + src:vte2.91
> 
> [ Reason ]
> Fix an infinite-loop bug processing a particular control sequence.
> (#1037919, LP: #2022019)
> 
> [ Impact ]
> If unfixed, the infinite loop could be triggered by a malicious program
> accessed via ssh, telnet or similar protocols and used as a denial of
> service. I asked the security team whether they wanted to do a DSA for
> this and haven't heard back, so I'm assuming the answer is no.

Aplogies, we have missed to reply to your question in #1037919. Te
point release approach looks indeed fine.

FWIW, do you know if upstream has requested a CVE for it?

Regards,
Salvatore

Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1

2023-06-14 Thread Salvatore Bonaccorso

Hi Pierre,

On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org
> Control: affects -1 + src:xerial-sqlite-jdbc
> 
> Dear Release team,
> 
> I would like to upload xerial-sqlite-jdbc to stable-proposed-updates.
> 
> [ Reason ]
> Grave bug #1036706 has been filled a few days before the release of Bookworm.
> This is a security bug associated to CVE-2023-32697. Although it has been
> marked no-dsa by the security team, we exchanged a few emails and our
> conclusion was the fix of this bug, which amounts to cherry-pick one commit of
> upstream, should land in Bookworm during a point release.
> 
> [ Impact ]
> CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the
> package are mainly used in a single-user environment, but possibly it is also
> used in a network environment by some users for their own programs, and this 
> is
> where there might be some hazard.
> 
> [ Tests ]
> The package was built in a Bookworm chroot and its autopkgtest is passing.
> 
> [ Risks ]
> Code is very simple, only 2 lines are changed. Upstream has published it
> three weeks ago and it has issued new upstream versions since then.
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream,
> which uses a random UUID instead of the hash of some fixed address in order to
> define the DB file name.
> 
> 
> 
> Thanks for your help,
> 
> Best,
> 
> -- 
> Pierre

> diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 
> xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
> --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 
> 14:24:45.0 +0100
> +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 
> 23:19:59.0 +0200
> @@ -1,3 +1,9 @@
> +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
> +
> +  * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
> +
> + -- Pierre Gruet   Tue, 13 Jun 2023 23:19:59 +0200

Can you as well add the Debian bug closer for #1036706 here?

Regards,
Salvatore

Bug#1037444: bookworm-pu: package kanboard/1.2.26+ds-4

2023-06-14 Thread Salvatore Bonaccorso

Hi Joseph,

[disclaimer, not a release team member but I believe can give input on
the debdiff below]

On Mon, Jun 12, 2023 at 08:19:55PM -0400, Joseph Nahmias wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: kanbo...@packages.debian.org, j...@nahmias.net
> Control: affects -1 + src:kanboard
> 
> [ Reason ]
> Security updates for kanboard since v1.2.26.
> 
> [ Tests ]
> upstream's unit test suite are run at build time and via autopkgtest.
> there are also some other (superficial) autopkgtests.
> 
> [ Risks ]
> All listed CVEs have targeted fixes picked from upstream github.
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Other info ]
> 
> My first stable update, so please advise if I missed anything.
> --Joe

> diff -Nru kanboard-1.2.26+ds/debian/changelog 
> kanboard-1.2.26+ds/debian/changelog
> --- kanboard-1.2.26+ds/debian/changelog   2023-05-16 22:49:38.0 
> -0400
> +++ kanboard-1.2.26+ds/debian/changelog   2023-06-07 20:45:40.0 
> -0400
> @@ -1,3 +1,24 @@
> +kanboard (1.2.26+ds-4) unstable; urgency=medium
> +
> +  * backport security fixes from kanboard v1.2.30
> + > CVE-2023-33956: Parameter based Indirect Object Referencing leading
> +   to private file exposure
> + > CVE-2023-33968: Missing access control allows user to move and
> +   duplicate tasks to any project in the software
> + > CVE-2023-33969: Stored XSS in the Task External Link Functionality
> + > CVE-2023-33970: Missing access control in internal task links feature
> +(Closes: #1037167)
> +
> + -- Joseph Nahmias   Wed, 07 Jun 2023 20:45:40 -0400
> +
> +kanboard (1.2.26+ds-3) unstable; urgency=medium
> +
> +  * backport fix for CVE-2023-32685 from kanboard v1.2.29
> +
> https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
> +Based on upstream commits 26b6eeb & c9c1872. (Closes: #1036874)
> +
> + -- Joseph Nahmias   Sun, 28 May 2023 21:42:46 -0400

This seems to be the current debdiff between bookworm and the unstable
version. But now that bookworm is releases, a package does nto migrate
anymore from there to stable. What is needed above is to apply the
needed patches on top of the 1.2.26+ds-2 versiion in testing and
version it such that it is 1.2.26+ds-2+deb12u1.

The developers-reference has some additional hints:
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions

Hope this helps,
Regards,
Salvatore

Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1

2023-06-12 Thread Salvatore Bonaccorso

Hi Nicholas,

On Mon, Jun 12, 2023 at 07:44:52PM -0400, Nicholas D Steeves wrote:
> Control: block 1033341 by -1
> 
> Dear Salvatore and release team,
> 
> Salvatore Bonaccorso  writes:
> 
> > On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote:
> >> +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium
> >> +
> >> +  * Fix Org Mode command injection vulnerability CVE-2023-28617 by 
> >> backporting
> >> +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like 
> >> src:emacs
> >> +did (Closes: #1033341).  Thanks to Rob Browning's work in that 
> >> package,
> >> +fixing org-mode was trivially easy!
> >> +
> >> + -- Nicholas D Steeves   Sun, 04 Jun 2023 13:26:52 -0400
> >
> > Small remark, for the bullseye pu update please target at 'bullseye'
> > not 'bullseye-security'.
> >
> 
> Done.  That was actually my first instinct, but I thought the existence
> of a CVE would destine the upload to the -security queue!  I was wrong,
> but this is a teaching/learning moment.
> 
> Is it as simple as: Use the -security queue when a DSA is needed,
> otherwise use the normal distribution code name and the foo-updates
> queue?  No need to explain if it's more complicated and if you're busy.
> (I couldn't find documentation of this in the Dev Ref)

What is as well different for the uploads is to which upload queue you
would upload in the end. ftp-master for the proposed-updates via point
release, security-master for the security uploads.

There are two good entry points about the uploads for stable:

https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#special-case-uploads-to-the-stable-and-oldstable-distributions
https://www.debian.org/doc/manuals/developers-reference/pkgs.en.html#handling-security-related-bugs

Hope this helps!

Regards,
Salvatore

Uploading linux (6.3.7-1)

2023-06-11 Thread Salvatore Bonaccorso

Hi,

Happy bookworm release :).

I would like to upload linux version 6.3.7-1 later the upcoming days
to unstable.

It consist of a new upstream version switching from the 6.1.y series
to 6.3.y. An ABI bump is included.

Apart from switching from 6.1.y to 6.3.y there are additional changes
covering:

  * [arm*] Add symbol information to raspberry pi device trees. This is useful
when device tree overlays are used.
  * [rt] Update to 6.3.3-rt15
  * drivers/ptp: Make PTP_1588_CLOCK builtin (except armel/marvell)
(Closes: #1036744)
  * [riscv64] rtc: Enable RTC_DRV_DS1307, RTC_DRV_PCF85063 and RTC_DRV_PCF8563
as modules.
  * [arm64,armhf] drivers/mailbox: Enable ROCKCHIP_MBOX
  * [armhf] drivers/mailbox: Drop OMAP_MBOX_KFIFO_SIZE setting
  * drivers/input/joystick: Enable INPUT_JOYSTICK by default (except for s390x
and cloud configuration) (Closes: #1035063)
  * [arm64] Improve support for rk3328 devices
- drivers/clk: Enable COMMON_CLK
- drivers/clk/rockchip: Enable CLK_RK3328
- drivers/cpuidle[arm]: Enable ARM_PSCI_CPUIDLE_DOMAIN
- drivers/gpio: Enable GPIO_ROCKCHIP as module
- drivers/gpio: Enable GPIO_SYSCON as module
- drivers/pinctrl: Enable PINCTRL_ROCKCHIP as module
- drivers/power/reset: Enable SYSCON_REBOOT_MODE as module
- drivers/soc/rockchip: Enable ROCKCHIP_GRF
  * [arm64] Improve support for rk3399 devices
- drivers/clk/rockchip: Enable CLK_RK3399
- drivers/mmc/core: Enable PWRSEQ_SIMPLE
- drivers/soc/rockchip: Enable ROCKCHIP_DTPM as module
- drivers/usb/dwc3: Enable USB_DWC3_OF_SIMPLE as module
  * [arm64] Improve support for rk356x devices
- drivers/clk/rockchip: Enable CLK_RK3568
- drivers/firmware/arm_scmi: Enable ARM_SCMI_TRANSPORT_SMC
- drivers/gpu/drm/bridge: Enable DRM_DISPLAY_CONNECTOR as module
- drivers/misc: Enable SRAM
  * net/hsr: Enable PRP/HSR protocols as module (Closes: #1034506)
  * drivers/net/wireless/realtek/rtw89: Enable RTW89_8852BE and RTW89_8852CE
as modules (Closes: #1035569)
  * drivers/tty: Unset LEGACY_TIOCSTI (Closes: #1033095)
  * d/rules.real: Fix typo in setup_image target.
  * [riscv64] Enable support for hardware added in Linux 6.2 and 6.3 based on
the upstream defconfig update: ARCH_R9A07G043, ARCH_RENESAS, ARCH_SUNXI,
DMADEVICES, DMA_SUN6I, DRM_SUN4I, HW_RANDOM_JH7110, I2C_MV64XXX,
MMC_SUNXI, NOP_USB_XCEIV, NVMEM_SUNXI_SID, PHY_SUN4I_USB, REGULATOR,
REGULATOR_FIXED_VOLTAGE, RTC_DRV_SUN6I, SERIAL_SH_SCI, SPI_SUN6I,
STMMAC_ETH, SUN50I_IOMMU, SUNXI_WATCHDOG, USB_MUSB_HDRC, USB_MUSB_SUNXI.
  * [mips*] Increase RELOCATION_TABLE_SIZE to 0x1d (fixes FTBFS)
  * [sh4/sh7785lcr] Modularise drivers to shrink kernel image (fixes FTBFS):
- ata: Change ATA, SATA_SIL from built-in to modular
- SCSI: Change SCSI, BLK_DEV_SD from built-in to modular
- USB: Change USB, USB_EHCI_HCD, USB_R8A66597_HCD,_USB_STORAGE from
  built-in to modular
- udeb: Add ata-modules, scsi-core-modules, usb-modules packages
  * [armel/marvell]: Disable features to shrink kernel image (fixes FTBFS):
- security: Disable SECURITY_APPARMOR_EXPORT_BINARY
- tcp: Disable MPTCP
- tracing: Disable FUNCTION_TRACER
  * linux-kbuild: Fix cross-build regression in objtool in 6.3
  * linux-kbuild: Add support for objtool powerpc target
  * d/templates: Improve package description for "header" packages
  * d/rules.real: Enable limiting of compression threading
  * [arm64,armhf] drivers/hwtracing/coresight: Enable components
  * Enable MEI options for Intel ARC GPUs as modules (Closes: #1028463)
- [amd64] drivers/gpu/drm/i915: Enable DRM_I915_PXP
- [x86] drivers/misc/mei: Enable INTEL_MEI_GSC as module
- [x86] drivers/misc/mei/pxp: Enable INTEL_MEI_PXP as module
  * Enable Intel Trust Domain Extensions - Guest Support (Closes: #1032437)
- [amd64] arch/x86: Enable INTEL_TDX_GUEST
- [amd64] drivers/virt/coco/tdx-guest: Enable TDX_GUEST_DRIVER as module
  * [amd64] drivers/platform/x86/intel/ifs: Enable Intel In-Field Scan (IFS)
INTEL_IFS as module (Closes: #1033061)
  * Update for 6.2:
- libcpupower1: Update symbols file
- d/patches: Forward and add patches to fix hardening issues
- d/rules: Let blhc ignore perf tests binaries that are compiled without
  fortification (by Uwe Kleine-König)
- [rt] Update to 6.2-rt3
  * Update for 6.3:
- linux-kbuild: Stop building bin2c
  * iwlwifi: Enable device tracing
  * [arm*] Enable NVMEM_RMEM which is useful (at least) on raspberry pi

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#1037263: unblock: php8.2/8.2.7-1

2023-06-09 Thread Salvatore Bonaccorso

Hi,

On Fri, Jun 09, 2023 at 08:06:41PM +0200, Ondřej Surý wrote:
> 
> 
> > On 9. 6. 2023, at 20:03, Paul Gevers  wrote:
> > 
> > Hi Ondřej,
> > 
> >> On 09-06-2023 18:58, Ondřej Surý wrote:
> >> php8.2 8.2.7-1 is a security release, so it would be pretty
> >> wrong to release bookworm with the old PHP.  I am sorry for
> >> the timing, but that's just coincidence.
> > 
> > Sorry, but this is really about 1 week too late (we are in the quite 
> > periode to prepare for tomorrow). From last weekend on security issues are 
> > handled by the security team. Otherwise you can prepare a point release 
> > update, but that's handled with different usertags and meta data.
> 
> I’ve already reached to the security team, so I guess we’ll handle
> it there. I didn’t know that bookworm-security has been open now.

Let's close this unblock request, as mentioned already on the mail to
team@s.d.o we can go trough bookworm-security.  Only think to be
careful here is the used verison, as 8.2.7-1 will go to unstable, for
bookworm-security we would have 8.2.7-1~deb12u1 (as this is just a
rebuild of the version, if on the other hand the packaging would have
diverged and importing a new upstream version on top, then it would
have been 8.2.7-0+deb12u1).

Regards,
Salvatore

Bug#1037175: [preapproval] bullseye-pu: package org-mode/9.4.0+dfsg-1+deb11u1

2023-06-07 Thread Salvatore Bonaccorso

Hi,

On Tue, Jun 06, 2023 at 11:00:14PM -0400, Nicholas D Steeves wrote:
> +org-mode (9.4.0+dfsg-1+deb11u1) bullseye-security; urgency=medium
> +
> +  * Fix Org Mode command injection vulnerability CVE-2023-28617 by 
> backporting
> +0004-Org-Mode-vulnerability-CVE-2023-28617-is-fixed.patch like src:emacs
> +did (Closes: #1033341).  Thanks to Rob Browning's work in that package,
> +fixing org-mode was trivially easy!
> +
> + -- Nicholas D Steeves   Sun, 04 Jun 2023 13:26:52 -0400

Small remark, for the bullseye pu update please target at 'bullseye'
not 'bullseye-security'.

Regards,
Salvatore

Bug#1037079: unblock: configobj/5.0.8-2

2023-06-04 Thread Salvatore Bonaccorso

Hi,

On Sun, Jun 04, 2023 at 09:50:23PM +0200, Sebastian Ramacher wrote:
> retitle 1037079 bookworm-pu: configobj/5.0.8-2
> tags 1037079 bookworm moreinfo
> user release.debian@packages.debian.org
> usertags 1037079 + pu - unblock
> thanks
> 
> Hi Stefano
> 
> On 2023-06-03 16:28:41 -0400, Stefano Rivera wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: config...@packages.debian.org
> > Control: affects -1 + src:configobj
> > 
> > Please unblock package configobj
> 
> We have entered the quiet periold of bookworm [1]. Please consider
> fixing this issue via bookworm-pu. As this update fixes a security
> issue, please also check with the Security Team in case this update is
> worth of a DSA.

As it does not warrant a DSA, the first bookworm point release is fine
for it.

Regards,
Salvatore

Bug#1035748: marked as done (unblock: modsecurity/3.0.9-1)

2023-06-03 Thread Salvatore Bonaccorso

Hi Paul,

On Sat, Jun 03, 2023 at 06:12:04AM +, Debian Bug Tracking System wrote:
[...]
> 
> Hi,
> 
> On 02-06-2023 22:50, Ervin Hegedüs wrote:
> > And these are the generated lines:
> > 
> > https://github.com/SpiderLabs/ModSecurity/blob/v3/master/src/parser/Makefile.am#L36-L42
> 
> And excluding those, I can now confirm that this looks like a targeted
> upstream fix release.
> 
> unblocked.

Thanks for the unblock!

Regards,
Salvatore

Bug#1035748: unblock: modsecurity/3.0.9-1

2023-06-01 Thread Salvatore Bonaccorso

Hi Paul,

On Thu, Jun 01, 2023 at 09:52:06PM +0200, Paul Gevers wrote:
> control: tags -1 moreinfo
> 
> Hi,
> 
> On 28-05-2023 21:30, Alberto Gonzalez Iniesta wrote:
> > 2) The risks on the release quality are almost zero. Only
> > libnginx-mod-http-modsecurity depends on it (being modsecurity a
> > library).
> 
> That's not the only part that we mean here. We also mean, how big is the
> risk we introduce new *unknown* issues.
> 
> > 4) No idea
> 
> Then I don't think so. If your upstream would have a decent stable update
> policy, they wouldn't introduce so many gratuitous changes (e.g. white space
> only).
> 
> > 6) Yes
> 
> I fail to spot it. Can you please point which version?
> 
> > 7) Its too long but mainly because of line numbers being updated in code
> > comments, like:
> > -#line 1459 "seclang-parser.yy"
> > +#line 1461 "seclang-parser.yy"
> > 8) Not that many code changes
> 
> Yet there is a huge amount of white space changes and other changes that
> look gratuitous. This is really not looking like a targeted fix. @Salvatore,
> can we do a targeted security upload via security?

The targeted should be (Alberto, Ervin can you confirm)
https://github.com/SpiderLabs/ModSecurity/commit/db84d8cf771d39db578707cd03ec2b60f74c9785
. While it would have been nice to start with modsecurity without
(known) security issues open in bookworm, I guess at this point of the
release preparation and soon entering  the last week, skip it and the
CVE can be fixed in the first bookworm point release.

Regards,
Salvatore

p.s.: The PCRE to PCRE2 switch is one other aspect why it would have
  been nice to have 3.0.9 in bookworm.

Re: should the Release Notes be updated concerning bookworm security

2023-06-01 Thread Salvatore Bonaccorso

Hi Paul,

On Mon, May 29, 2023 at 02:36:22PM +0200, Paul Gevers wrote:
> Dear security team,
> 
> I know it's a bit late, but are you aware of issues that are worth
> mentioning in the release notes from your point of view?
> 
> We have updated the text about golang and rustc in this cycle, chromium got
> a mention about reduce support time wise and I updated the openjdk versions
> and dates. Is that all?
> 
> Paul
> 
> Current version jumping straight to the security section:
> https://www.debian.org/releases/testing/amd64/release-notes/ch-information.en.html#limited-security-support
> or the source:
> https://salsa.debian.org/ddp-team/release-notes/

Slight rewording for the sections proposed in

https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/182

after exchanging with Moritz.

Regards,
Salvatore

Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2

2023-05-31 Thread Salvatore Bonaccorso

Hi Yadd,

On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bullseye
> User: release.debian@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: jquer...@packages.debian.org
> Control: affects -1 + src:jqueryui
> 
> [ Reason ]
> jqueryui is potentially vulnerable to cross-site scripting
> (CVE-2022-31160)
> 
> [ Impact ]
> Low security issue
> 
> [ Tests ]
> Sadly tests are minimal in this package. Anyway passed
> 
> [ Risks ]
> Low risk, patch is trivial
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Don't accept label outside of the root element
> 
> Cheers,
> Yadd

> diff --git a/debian/changelog b/debian/changelog
> index 3a6a587..9b1e9cc 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium
> +
> +  * Team upload
> +  * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: 
> CVE-2022-31160)
> +
> + -- Yadd   Wed, 31 May 2023 15:08:55 +0400

Minor thing, you could as well close #1015982 with the upload.

Regards,
Salvatore

Bug#1036954: RM: matrix-synapse/1.78.0-1

2023-05-30 Thread Salvatore Bonaccorso

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: rm
X-Debbugs-Cc: matrix-syna...@packages.debian.org, 
matrix-syna...@packages.debian.org, t...@security.debian.org, Andrej Shadura 
, car...@debian.org
Control: affects -1 + src:matrix-synapse

Dear release team,

As discussed with Andrej in #1036806 matrix-synapse will be hard to
support during the bookworm release cycle. To avoid we ship it
initially with bookworm, but relatively quickly might need to ask for
removal, let's not ship it from the start.

See https://bugs.debian.org/1036806#30

Regards,
Salvatore

Bug#1036801: unblock: curl/7.88.1-10

2023-05-28 Thread Salvatore Bonaccorso

Hi Samuel,

On Sun, May 28, 2023 at 12:17:21PM +0100, Samuel Henrique wrote:
> Hello Salvatore,
> 
> > After a short discussion with Paul, wouldn't that imply though that
> > there is an soname bump needed? Do you know has upstream considered
> > this and if/or why not? Is there enough assurance nobody (even outside
> > Debian world) is using that symbol?
> 
> Those are all good questions, I should have done a better job at
> explaining this, so let me try doing it now.
> 
> sergiodj@ did a lot of work investigating this as well, so most of the
> things I'll be saying here are his findings (although if I say
> anything wrong here, blame it on me).
> 
> The "curl_jmpenv" variable declaration was guarded by a "#ifdef
> HAVE_SIGSETJMP", but the variable would only be used on "#ifdef
> USE_ALARM_TIMEOUT".
> For Debian, "HAVE_SIGSETJMP" is true but "USE_ALARM_TIMEOUT" is false,
> this is because we use the threaded resolver.
> 
> This means that "curl_jmpenv" was dead code, and double checking for
> mentions of "curl_jmpenv" on codesearch.d.n only returns packages
> which bundles curl, nothing using it.
> 
> Considering the variable was exposed, but not used anywhere (in our
> builds with threaded resolver), I don't think there was any possible
> way dependencies could be making use of it in any meaningful way (this
> is talking about things outside of our official repositories now).

Thank you, I believe this is very important information to allow to
decide on the unblock. Make sense now to me and for security-tracker
point of view I have marked the issue as unimportant (due the
implication of binary packages not affected from the affected source).

> It doesn't make sense for upstream to bump SONAME because the variable
> can still be exposed depending on the build config, it's just that it
> wasn't supposed to be exposed for threaded resolvers first of all.

Understood, I think.

> The CVE that is being fixed by that change should not affect our
> binaries since we build with the threaded resolver, but I ended up
> making a decision to still apply the patch to safeguard even the
> sources.

Ok. I have updated the security-tracker accordingly, since we have
source fixed, but binary packages not affected.

> > These are just a couple of question trying to understand what
> > potential question from release team members my come for your unblock
> > request.
> 
> Thank you for reviewing this.

Did not do much, but was sitting together with Paul from the release
team to go trough some unblock requests fixing CVEs and curl was yet
still on the radar of packages which did not pass.

> > p.s.: note it looks autopkgtest view for curl was still blocking it
> > because cwltool has a flaky test (on armel).
> 
> Yeah, curl suffers quite a bit from these since tons of reverse-deps
> use it to fetch resources over the network and that's always flaky
> (not sure if it's the case with cwitool specifically, but I'm used to
> this sort of thing by now).

Ok.

Regards and thanks for your work on curl!
Salvatore

Re: Upcoming OpenSSL release

2023-05-27 Thread Salvatore Bonaccorso

Hi Sebastian

On Sat, May 27, 2023 at 02:17:54PM +0200, Sebastian Andrzej Siewior wrote:
> Hi,
> 
> there is an upcoming OpenSSL scheduled for next TUE (2023-05-30)
> including one security fix of moderate severity [0].
> For Bullseye I am going backport ~6 fixes (4 security fixes of minor
> severity which were not yet addressed, the upcoming fix and an
> alternative fix for CVE-2022-4304).
> _Later_ (once time permits) I would open a pu for Bullseye to include
> the final release (1.1.1u) since it only contains fixes.

This sounds good, thanks and hope this time we can do the rebase to
1.1.1u in bullseye-pu accordingly. I suggest to make sure this is
early on the radar of the stable release managers for review but feel
free to ping.

> For Bookworm I would much rather prefer to upload 3.0.9 to unstable and
> open a unblock bug for Bookworm. Looking at the history it contains 169
> commits and only fixes which don't qualify as security issues. (Same for
> the 1.1.1 series but I would prefer to do some testing first and push it
> slowly via pu since it is much further behind (not that I expect
> anything to happen)).
> The Bookworm release is scheduled for the 10th and the announce mail
> claims that the unblock should happen on the 28th (tomorrow) at the
> latest. This will be hard to achieve given that my time machine is
> currently out of operation. This probably means that I need to upload
> to Bookworm-security unless there are exceptions.

If Paul Gevers agrees then I think this is a good plan. If it is too
risky for for the release managers at this point and rather not
wanting to do it, we have already bookworm-security infrastructure
setup. In later case we can have the upload done, have some exposure
there, and upload a 3.0.9~deb12u1 released trhough bookworm-security
(if done before bookworm release just without DSA advisory).

> Are there other preferences/ suggestions from the release or security
> team? 

Release managers (Paul, Sebastian, Graham), I know you are right now
busy with the last bits, if you find to comment that would be great.
Would you be fine to process an unblock request for the security
update for openssl rebasing to 3.0.9?

Regards,
Salvatore

Bug#1035748: unblock: modsecurity/3.0.9-1

2023-05-27 Thread Salvatore Bonaccorso

Hi Alberto,

On Wed, May 24, 2023 at 12:26:33PM +0200, Paul Gevers wrote:
> control: tags -1 moreinfo
> 
> Hi,
> 
> On Mon, 08 May 2023 18:16:51 +0200 Alberto Gonzalez Iniesta
>  wrote:
> > A new upstream version of modsecurity fixes a security bug
> > (CVE-2023-28882, #1035083).
> > We also fixed a FTBFS in the meantime (#1034760).
> > Also nginx moved to pcre2, which we also did after the current version
> > in bookworm.
> 
> Your message didn't reach our mail list, which typically is a bad sign
> because it means your debdiff is big. New upstream releases are typically
> not what we consider targeted fixes which are all we accept in this phase of
> the release. Please read the FAQ [1] and provide all relevant information
> pointed out there, particularly about upstream's policy on new releases.

Did you saw Paul's query? I'm asking since the deadline for unblock
requests is tomorrow already.

Regards,
Salvatore

Bug#1036081: pre-unblock: mariadb/1:10.11.3-1

2023-05-27 Thread Salvatore Bonaccorso

Hi Otto,

On Wed, May 24, 2023 at 05:47:58PM +0200, Paul Gevers wrote:
> Hi Otto,
> 
> On 24-05-2023 17:44, Otto Kekäläinen wrote:
> > The CI
> > detected a couple days ago a regression in Piuparts, potentially due
> > to recent adduser 1.133 upload, which I still need to debug and decide
> > what to do on.
> 
> You can ignore it. It's known and being worked on.

Any news on the upload for unstable? The deadline for unblock requests
is *tomorrow*.

Regards,
Salvatore

Bug#1036801: unblock: curl/7.88.1-10

Hi Samuel,

[not member of the release team, but was going trough some potential
unblock requests with CVE fixes]

On Fri, May 26, 2023 at 06:03:13PM +0100, Samuel Henrique wrote:
> Package: release.debian.org
> Control: affects -1 + src:curl
> X-Debbugs-Cc: c...@packages.debian.org
> User: release.debian@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Please unblock package curl
> 
> [ Reason ]
> 4 CVE fixes:
> 
> * Add new patches to fix CVEs (closes: #1036239):
> - CVE-2023-28319: UAF in SSH sha256 fingerprint check
> - CVE-2023-28320: siglongjmp race condition
> - CVE-2023-28321: IDN wildcard match
> - CVE-2023-28322: more POST-after-PUT confusion
>   * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to
> CVE-2023-28320
> 
> [ Impact ]
> The highest CVE severity from upstream is "Moderate".
> 
> [ Tests ]
> Curl has an extensive test suite that's run at build time and on
> autopkgtest, no regressions were detected.
> 
> [ Risks ]
> The patches didn't require any changes which would be worrying.
> Regarding the "curl_jmpenv", there's no package on Debian using that.

After a short discussion with Paul, wouldn't that imply though that
there is an soname bump needed? Do you know has upstream considered
this and if/or why not? Is there enough assurance nobody (even outside
Debian world) is using that symbol?

Curl upstream has the following on it https://curl.se/libcurl/abi.html

These are just a couple of question trying to understand what
potential question from release team members my come for your unblock
request.

Regards,
Salvatore

p.s.: note it looks autopkgtest view for curl was still blocking it
because cwltool has a flaky test (on armel).

Bug#1036592: pre-approval: unblock: c-ares/1.18.1-3

Hi Gregor,

On Tue, May 23, 2023 at 02:56:41PM +0200, Salvatore Bonaccorso wrote:
> Hi Gregor,
> 
> On Tue, May 23, 2023 at 08:44:48AM +0200, Gregor Jasny wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > X-Debbugs-Cc: c-a...@packages.debian.org
> > Control: affects -1 + src:c-ares
> > 
> > Hello,
> > 
> > [ Reason ]
> > 
> > yesterday a version 1.19.1 of c-ares was release which fixes four CVEs.
> > The Debian Security team considers two of them relevant for Debian and
> > I'd like to cherry-pick them into the unstable package so that the fixes
> > can migrate to Bookworm.
> > 
> > Attached you'll find the debdiff. The changes are also visible in Salsa:
> > https://salsa.debian.org/debian/c-ares/-/compare/debian%2F1.18.1-2...master?from_project_id=11264=false
> > 
> > [ Impact ]
> > 
> > CVE-2023-31130 has a CVSS score of 4.1
> > CVE-2023-32067 has a CVSS score of 7.5
> > 
> > [ Tests ]
> > 
> > On the experimental branch I enabled the unit and integration tests:
> > would you consider that commit as acceptable, too?
> > https://salsa.debian.org/debian/c-ares/-/commit/25f515f728eeae82013a9c1cb8aa6ce80e913d09
> > 
> > [ Risks ]
> > 
> > The fix for the 0-byte DoS issue seems to be straight-forward.
> > The fix for inet_net_pton_ipv6 has been synced from OpenBSD and
> > is covered by the unit tests.
> > 
> > Both changes are port of the 1.19.1 release which built and passed
> > tests on experimental (except Hurd):
> > https://buildd.debian.org/status/package.php?p=c-ares=experimental
> > 
> > [ Checklist ]
> >   [x] all changes are documented in the d/changelog
> >   [x] I reviewed all changes and I approve them
> >   [x] attach debdiff against the package in testing
> > 
> > unblock c-ares/1.18.1-3
> 
> Glad to see you worked on it already. I was on it today to propose a
> NMU, due to the deadline for bookworm approaching quickly, until
> Moritz pointed out to me that you did already filled a unblock
> request pre-approval.
> 
> Attached for reference what I did, and so they match. Release team,
> can you accept it as we would like to see as well a bullseye-security
> upload for the same two CVEs and avoid a regression
> bullseye->bookworm?
> 
> Leaving open the question on enabling the testsuite.

Since deadline for unblock requests is approaching quickly I suggest
to focus on the isolated security fixes only. Last possibility to get
packages unblocked is 2023-05-28 12:00 UTC.

Regards,
Salvatore

Bug#1036806: matrix-synapse: not suitable for inclusion in bookworm

Source: matrix-synapse
Version: 1.78.0-1
Severity: serious
Tags: upstream security
X-Debbugs-Cc: Andrej Shadura , 
debian-release@lists.debian.org, car...@debian.org, Debian Security Team 


Hi Andrej,

I believe matrix-synapse is still in the same status as for #982991
back for the bullseye release, and not suitable to be included in
bookworm as stable release.

As such let it have removed from bookworm if you agree. If this is not
correct, we need to have assurance security fixes arising during the
bookworm cycle can be addressed.

Regards,
Salvatore

Re: Bug#1034824: tomcat9 should not be released with Bookworm

hey all,

I was involved with a discussion on site here in Hamburg with Paul
about it.

On Fri, May 26, 2023 at 10:58:48AM +0200, Moritz Muehlenhoff wrote:
> On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote:
> > First of all trapperkeeper-webserver-jetty9-clojure should add a build-
> > dependency on logback to detect such regressions in advance.
> > 
> > #1036250 is mainly a logback problem, not a tomcat problem. I still would 
> > like
> > to hear Emmanuel's opinion. We still could revert to libtomcat9-java, if we
> > don't find a solution though.
> > 
> > The tomcatjss / dogtag-pki situation is simple too. If there is no way to 
> > make
> > the application work with Tomcat 10, then there are three options:
> > 
> > 1. Embed Tomcat 9 in your application by creating a standalone jar
> > 
> > 2. Continue to use the current Tomcat 9 package as is but make sure that 
> > nobody
> > else than dogtag-pki uses it. (Package descriptions should be adjusted, and 
> > the
> > binary tomcat9 package should be probably removed too) Nobody should think 
> > that
> > we support two major Tomcat versions.
> > 
> > In any case the dogtag-pki maintainers must commit to at least three years 
> > of
> > security support, web application + Tomcat 9. Otherwise this is pointless.
> > 
> > 3. Remove dogtag-pki and tomcatjss from testing and prepare backports as 
> > soon
> > as dogtag-pki and Co support Tomcat 10.
> 
> Can't we just do the pragmatic fix of updating src:tomcat9 to only ship
> libtomcat9-java and libtomcat9-embed-java? The maintenance burden for
> security updates lies within the server stack, the percentage of issues
> affecting the libtomcat9-java binary packages as used by rdeps will be small
> to none?

This indeed would have been the most desirable and pragmatic appraoch,
which was looked at, but my (limited!) understanding of the situation
is still that this won't work out as we have dogtak-pki's pki-server
binary package depending on tomcat9-user:

respighi:~$ dak rm --suite=bookworm -n -R -b tomcat9-user
Will remove the following packages from bookworm:

tomcat9-user |   9.0.70-1 | all

Maintainer: Debian Java Maintainers 


--- Reason ---

--

Checking reverse dependencies...
# Broken Depends:
dogtag-pki: pki-server

Dependency problem found.

See the followup on that by Markus in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034824#45 the
answer seems to be from the the answer from Timo Aaltonen, that a
switch to tomcat10-user won't work ...

Thus the proposal to at this stage keep in need the both source
packages. Paul made another way forward in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034824#98 which now
involves one dependency rollback and documenting in release note and
debian-security-support what support level we can we expect during the
bookworm cycle for src:tomcat9.

To otherwise drop tomcat9 and tomcat9-user binary package it would be
needed to drop as well dogtag-pki.

Does this make sense for you Moritz?

Salvatore

Bug#1036678: unblock: ffmpeg/7:5.1.3-1

2023-05-24 Thread Salvatore Bonaccorso

Hi release team,

On Wed, May 24, 2023 at 12:46:45PM +0200, Sebastian Ramacher wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package ffmpeg
> 
> [ Reason ]
> ffmpeg releases stable updates with security fixes on a regular basis.
> For Debian (old)stable, we publish these updates via DSAs. For bookworm,
> we intend to follow 5.1.x release series. The upload to unstable updates
> ffmpeg to the latest release of this series.

FTR, confirming this will be followed as well for bookworm after the
release similar as already done for bullseye and buster as explained
above by Sebastian.

Regards,
Salvatore


signature.asc
Description: PGP signature

Bug#1036531: unblock: firefox-esr/102.11.0esr-1

Hi Release team,

On Mon, May 22, 2023 at 09:57:13AM +0900, Mike Hommey wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> 
> Please unblock package firefox-esr
> 
> [ Reason ]
> Security update for Firefox. The same package has already reached
> bullseye.
> 
> [ Impact ]
> See above
> 
> [ Tests ]
> Usual smoke tests
> 
> [ Risks ]
> See above.
> 
> [ Other info ]
> There are no changes to the package debian/ directory other than
> debian/changelog. Everything else is upstream changes for the security
> update.
> 
> unblock firefox-esr/102.11.0esr-1

To confirm: As we have 102.11.0esr-1~deb11u1 in bullseye, and this is
exactly what will we will do as well for bookworm for DSAs please do
accept this unblock request. According to the grep-excuses there
should not be anything blocking it.

Thanks for your hard work for the release.

Regards,
Salvatore

Bug#1036475: unblock: xen/4.17.1+2-gb773c48e36-1

Dear release team,

On Sun, May 21, 2023 at 10:02:25PM +0200, Maximilian Engelhardt wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock 
> X-Debbugs-Cc: x...@packages.debian.org, t...@security.debian.org, 
> m...@daemonizer.de
> Control: affects -1 + src:xen
> 
> Please unblock package xen.
> 
> [ Reason ]
> Xen in bookworm is currently affected by CVE-2022-42335 and
> CVE-2022-42336 (see #1034842 and #1036298).
> 
> [ Impact ]
> The above mentioned CVEs are not fixed in bookworm.
> 
> [ Tests ]
> The Debian package is based only on upstream commits that have passed
> the upstream automated tests.
> The Debian package has been successfully tested by the xen packaging
> team on their test machines.
> 
> [ Risks ]
> There could be upstream changes unrelated to the above mentioned
> security fixes that cause regressions. However upstream has an automated
> testing machinery (osstest) that only allows a commit in the upstream
> stable branch if all test pass.
> 
> [ Checklist ]
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> [ Other info ]
> This security fix is based on the latest upstream stable-4.17 branch.
> The branch in general only accepts bug fixes and does not allow new
> features, so the changes there are mainly security and other bug fixes.
> This does not strictly follow the "only targeted fixes" release policy,
> but, as explained below, we believe it is still appropriate for an
> unblock request.
> The package we have uploaded to unstable is exactly what we would have
> done as a security update in a stable release, what we have historically
> done together with the security team and are planning to continue to do.
> As upstream does extensive automated testing on their stable branches
> chances for unnoticed regressions are low. We believe this way the risk
> for bugs is lower than trying to manually pick and adjust patches
> without all the deep knowledge that upstream has. This approach is
> similar to what the linux package is doing.

I can confirm that this is indeed the strategy for src:xen we would
follow, like for bullseye already, as well in bookworm.

Regards,
Salvatore

Bug#1036453: unblock: libvirt/9.0.0-4

Hi Andrea,

On Sun, May 21, 2023 at 12:37:17PM +0200, Andrea Bolognani wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: libv...@packages.debian.org
> Control: affects -1 + src:libvirt
> 
> Please unblock package libvirt
> 
> 
> [ Reason ]
> 
> Fix CVE-2023-2700.
> 
> 
> [ Impact ]
> 
> Fix CVE-2023-2700.
> 
> 
> [ Tests ]
> 
> I haven't found tests covering this specific functionality. However,
> the change is part of libvirt 9.3.0, which is already in Debian
> experimental as well as other distributions such as Fedora, and to
> the best of my knowledge no issues with it have been reported.
> 
> 
> [ Risks ]
> 
> The change has already been reviewed and accepted upstream. The
> function being patched hasn't changed between 9.0.0 and 9.3.0, so the
> backport was a clean one. I have reviewed the changes again in the
> context of the Debian package.
> 
> 
> [ Checklist ]
> 
>   [x] all changes are documented in the d/changelog
>   [x] I reviewed all changes and I approve them
>   [x] attach debdiff against the package in testing
> 
> 
> [ Other info ]
> 
> N/A
> 
> 
> unblock libvirt/9.0.0-4

I think in this case you can take advantage of

https://release.debian.org/testing/freeze_policy.html#full

in "Applying for an unblock", item 5, as the diff is very small and
targetted to add the missing g_free you could upload already to
unstable to avoid the additional rountrip (in particular as the hard
deadlines are approaching).

Hope this helps,

Regards,
Salvatore

Bug#1036548: unblock: cups-filters/1.28.17-3

Hi,

On Tue, May 23, 2023 at 03:55:26PM +0200, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Mon, May 22, 2023 at 09:39:34AM +, Thorsten Alteholz wrote:
> > Package: release.debian.org
> > Severity: normal
> > User: release.debian@packages.debian.org
> > Usertags: unblock
> > 
> > Please unblock and age package cups-filters
> > 
> > [ Reason ]
> > CVE-2023-24805 (RCE due to missing input sanitising)
> > 
> > [ Impact ]
> > The user would be vulnerable to remote code execution.
> > 
> > [ Tests ]
> > There is no special test for this patch, only a POC that no
> > longer worked after applying the patch.
> > 
> > [ Risks ]
> > The patch was provided by upstream and approved by the security team
> > (upload to Bullseye already done).
> > 
> > [ Checklist ]
> >   [x] all changes are documented in the d/changelog
> >   [x] I reviewed all changes and I approve them
> >   [x] attach debdiff against the package in testing
> > 
> > unblock cups-filters/1.28.17-3
> 
> FWIW, is was as well for bullseye released via a DSA. Thorsten, there
> seems to be as well a piuparts regression blocking it, can you have a
> look?

Looking at the log from
https://piuparts.debian.org/sid/fail/cups-browsed_1.28.17-3.log it
looks this can be ignored, as it is due to the adduser and piuparts
situation.

Regards,
Salvatore

Bug#1036548: unblock: cups-filters/1.28.17-3